PodHawk 1.85 Arbitrary File Upload

# Title: PodHawk Arbitary File Upload Vulnerability # Vulnerability discoverer: CWH Underground # Website: www.2600.in. th # developer Website: http://podhawk.sourceforge.net# Download: http://jaist.dl.sourceforge.net/project/podhawk/podhawk/podhawk_1_85/podhawk_1_85.zip# Affected Versions: 1.85 # tested systems: window and Linux ##################################### ############### VULNERABILITY: unrestricted File Upload/podhawk/uploadify. php (LINE: 33-44) ------------------------------------------------------------------------------- if (! Empty ($ _ FILES) {if ($ _ GET ['upload _ type'] = 'audio') {$ writable = 'upload'; $ targetPath = UPLOAD_PATH ;} else {$ writable = 'images'; $ targetPath = IMAGES_PATH ;} -----------------------------------------------------------------------------####################################### ############ description of This application has an upload feature that allows an authenticated userwith Administrator roles or User roles to upload arbitrary files cause remote code execution simply request it. ######################################## ############ exploit poc 1. log On User account (Author) account2. Access http://www.bkjia.com /Podhawk/index. php? Page = record13. Upload a file to the upload folder via "Browse" 4. Upload PHP shell (shell. php) and upload it5. For access shell, http://target/podhawk/upload/shell.php6 . Server Compromised !!