PodHawk 1.85 – Arbitrary File Upload

• Exploit Database
• 121 阅读

• 作者： CWH Underground
  日期： 2013-06-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/26414/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

  # Exploit Title : PodHawk Arbitary File Upload Vulnerability # Date: 23 June 2013 # Exploit Author: CWH Underground # Site: www.2600.in.th # Vendor Homepage : http://podhawk.sourceforge.net # Software Link : http://jaist.dl.sourceforge.net/project/podhawk/podhawk/podhawk_1_85/podhawk_1_85.zip # Version : 1.85 # Tested on : Window and Linux   ,--^----------,--------,-----,-------^--, | ||||||||| <code>--------&apos; |O .. CWH Underground Hacking Team .. </code>+---------------------------^----------| \_,-------, _________________________| / XXXXXX /</code>| / / XXXXXX /<code>\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( </code>------&apos;   ##################################################### VULNERABILITY: Unrestricted File Upload #####################################################   /podhawk/uploadify/uploadify.php (LINE: 33-44) ----------------------------------------------------------------------------- if (!empty($_FILES)) { if ($_GET[&apos;upload_type&apos;] == &apos;audio&apos;) { $writable = &apos;upload&apos;; $targetPath = UPLOAD_PATH; } else { $writable = &apos;images&apos;; $targetPath = IMAGES_PATH; } -----------------------------------------------------------------------------   ##################################################### DESCRIPTION #####################################################   This application has an upload feature that allows an authenticated user with Administrator roles or User roles to upload arbitrary files cause remote code execution by simply request it.   ##################################################### EXPLOIT POC #####################################################   1. Log On User account (Author) account 2. Access http://target/podhawk/podhawk/index.php?page=record1 3. Upload a file to the upload folder via "Browse" 4. Upload PHP shell (shell.php) and upload it 5. For access shell, http://target/podhawk/upload/shell.php 6. Server Compromised !!   ################################################################################################################ Greetz: ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################