Hyip Rio 2.1 - Arbitrary File Upload

Exploit Author: CraCkEr Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-09-04 
# Exploit Title: Hyip Rio 2.1 - Arbitrary File Upload
# Exploit Author: CraCkEr
# Date: 30/07/2023
# Vendor: tdevs
# Vendor Homepage: https://tdevs.co/
# Software Link: https://hyiprio-feature.tdevs.co/
# Version: 2.1
# Tested on: Windows 10 Pro
# Impact: Allows User to upload files to the web server
# CVE: CVE-2023-4382


## Description

Allows Attacker to upload malicious files onto the server, such as Stored XSS


## Steps to Reproduce:

1. Login as a [Normal User]
2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/user/settings
3. Upload any Image into the [avatar]
4. Capture the POST Request with [Burp Proxy Intercept]
5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]

-----------------------------------------------------------
POST /user/settings/profile-update HTTP/2

Content-Disposition: form-data; name="avatar"; filename="XSS.svg"
Content-Type: image/png

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS by Skalvin");
</script>
</svg>
-----------------------------------------------------------

6. Send the Request
7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] or right-click on the Avatar and Copy the Link
8. Access your Uploded Evil file on this Path: https://website/assets/global/images/********************.svg



[-] Done


Hyip Rio 2.1 – Arbitrary File Upload Vulnerability: A Deep Dive into Stored XSS Exploitation

Hyip Rio 2.1, a popular cryptocurrency investment platform developed by tdevs, has recently been flagged for a critical security flaw: Arbitrary File Upload. This vulnerability, identified as CVE-2023-4382, allows attackers to upload malicious files—specifically crafted SVGs—onto the server, leading to potential Stored Cross-Site Scripting (XSS) attacks. The exploit, discovered and documented by security researcher CraCkEr, demonstrates how seemingly innocuous features like avatar uploads can become gateways for persistent web-based attacks.

Understanding the Vulnerability

At its core, this vulnerability stems from improper file validation and content-type handling within the /user/settings/profile-update endpoint. Despite the platform expecting image uploads (e.g., PNG, JPEG), the system fails to enforce strict file extension checks or perform deep content analysis on uploaded files. This oversight enables attackers to bypass security controls by renaming a file to .svg and injecting executable JavaScript code within the SVG structure.

SVG (Scalable Vector Graphics) files are inherently XML-based and support embedded scripts. While typically used for visual design, they can also execute JavaScript when rendered in a browser—making them a prime vector for XSS exploitation, especially when the file is stored in a publicly accessible directory.

Step-by-Step Exploitation Process

Below is a detailed breakdown of how an attacker can exploit this vulnerability:

  • Authentication: Log in as a regular user. No privileged access is required.
  • Navigation: Access the Profile Settings page at https://website/user/settings.
  • File Upload: Select any image file (e.g., image.png) and upload it as the user avatar.
  • Interception: Use Burp Suite Proxy to intercept the POST request.
  • Manipulation: Modify the filename field to XSS.svg and change the Content-Type to image/png—a deceptive tactic to trick the server into accepting the file.
  • Injection: Insert malicious JavaScript code inside the SVG payload.
  • Submission: Send the modified request to the server.
  • Verification: Retrieve the uploaded file’s URL via Burp Logger or by inspecting the avatar link.
  • Execution: Access the uploaded .svg file in a browser—triggering the XSS payload.

Malicious Payload Example






  
  
    alert("XSS by Skalvin");

Explanation: This SVG file contains a harmless-looking triangle shape but embeds a JavaScript alert() function. When the file is loaded in a browser, the script executes, displaying a pop-up message. In a real-world attack, this could be replaced with more dangerous payloads—such as stealing session cookies, redirecting users to phishing pages, or executing malicious scripts via document.location or fetch().

Impact and Risks

Risk Category Description
Stored XSS Malicious code persists on the server and executes whenever the file is accessed, affecting all users who view the avatar.
Privilege Escalation Attackers can upload scripts to manipulate user sessions or bypass authentication mechanisms.
Phishing & Malware Delivery SVG files can be used to redirect users to malicious domains or download malware.
Server Compromise With additional exploitation, uploaded files may enable remote code execution if the server lacks proper sandboxing.

Why This is a Critical Flaw

Arbitrary file upload vulnerabilities are among the most dangerous in web application security. They allow attackers to:

  • Upload malicious scripts (e.g., .php, .js, .svg) without detection.
  • Exploit file type misclassification (e.g., Content-Type mismatch).
  • Execute code in the context of the victim’s browser.
  • Store payloads permanently, making them persistent across sessions.

Even if the file is not directly executable, the stored XSS nature means the attack remains active until the file is removed—making it a long-term threat.

Defensive Measures & Recommendations

To prevent such vulnerabilities, developers must implement the following security controls:

  • Strict File Extension Whitelisting: Only allow specific image formats (e.g., .jpg, .png, .gif) and reject others.
  • Content-Type Validation: Validate both the Content-Type header and file content using MIME type detection libraries.
  • File Content Scanning: Use tools like libmagic or Apache Tika to verify file type based on actual content, not just extension.
  • Sanitization of Uploaded Files: Strip or block script tags and executable code from SVG and other rich media formats.
  • Upload Directory Restrictions: Store uploaded files in non-web-accessible directories, or serve them via a secure proxy.
  • Rate Limiting & Monitoring: Implement logging and rate limiting to detect suspicious upload patterns.

Real-World Implications

Hyip Rio 2.1 is a platform where users deposit funds and expect trust in the system. A stored XSS exploit could:

  • Steal user credentials via document.cookie extraction.
  • Redirect users to fake login pages (phishing).
  • Manipulate transaction data by injecting scripts into dashboard views.
  • Compromise entire user communities if the avatar is displayed on public profiles.

This vulnerability underscores a broader issue: “Trust in User Input” is a dangerous assumption. Even minor features like avatar uploads can become attack vectors if not rigorously secured.

Conclusion

Arbitrary file upload vulnerabilities like the one in Hyip Rio 2.1 are not just theoretical—they are actively exploited in real-world environments. The CVE-2023-4382 exploit demonstrates how a simple file upload feature, when poorly implemented, can lead to persistent XSS attacks with significant impact. Developers must treat every file upload as a potential security breach and apply defense-in-depth principles.

Security is not a one-time fix—it’s an ongoing process. Regular audits, automated scanning, and strict input validation are essential to safeguard web applications from evolving threats.