鸿 网 互 联 www.68idc.cn

当前位置 : 服务器租用 > 网站安全 > 安全设置 > >

PodHawk 1.85任意文件上传

来源:互联网 作者:佚名 时间:2015-10-19 08:39
# 标题 : PodHawk Arbitary File Upload Vulnerability# 漏洞发现者: CWH Underground# 网站 : www.2600.in.th#开发者官网: http://podhawk.sourceforge.net# 下载: http://jaist.dl.sourceforge.net/project/podhawk/podhawk/podhawk_1_85/podhawk_1_85.zip
# 标题  : PodHawk Arbitary File Upload Vulnerability
#  漏洞发现者: CWH Underground
# 网站 : www.2600.in.th
#开发者官网: http://podhawk.sourceforge.net
# 下载: http://jaist.dl.sourceforge.net/project/podhawk/podhawk/podhawk_1_85/podhawk_1_85.zip
# 影响版本 : 1.85
# 已测试系统: Window and Linux   
#####################################################
VULNERABILITY: Unrestricted File Upload 

   
/podhawk/uploadify/uploadify.php (LINE: 33-44)
  
----------------------------------------------------------------------------- 
if (!empty($_FILES))
{
    if ($_GET['upload_type'] == 'audio')
    {
        $writable = 'upload';
        $targetPath = UPLOAD_PATH;
    }
    else
    {
        $writable = 'images';
        $targetPath = IMAGES_PATH;
    }
-----------------------------------------------------------------------------  
   
#####################################################
描述
   
This application has an upload feature that allows an authenticated user
with Administrator roles or User roles to upload arbitrary files cause remote code execution by simply request it.
 
#####################################################
EXPLOIT POC

   
1. Log On User account (Author) account
2. Access http://www.2cto.com /podhawk/podhawk/index.php?page=record1
3. Upload a file to the upload folder via "Browse"
4. Upload PHP shell (shell.php) and upload it
5. For access shell, http://target/podhawk/upload/shell.php
6. Server Compromised !!

 

网友评论
<