# 标题  : PodHawk Arbitary File Upload Vulnerability # 漏洞发现者: CWH Underground # 网站 : #开发者官网: https://podhawk.sourceforge.net # 下载: https://jaist.dl.sourceforge.net/project/podhawk/podhawk/podhawk_1_85/podhawk_1_85.zip # 影响版本 : 1.85 # 已测试系统: Window and Linux    ##################################################### VULNERABILITY: Unrestricted File Upload     /podhawk/uploadify/uploadify.php (LINE: 33-44)    ----------------------------------------------------------------------------- if (!empty($_FILES)) {     if ($_GET['upload_type'] == 'audio')     {         $writable = 'upload';         $targetPath = UPLOAD_PATH;     }     else     {         $writable = 'images';         $targetPath = IMAGES_PATH;     } -----------------------------------------------------------------------------      ##################################################### 描述     This application has an upload feature that allows an authenticated user with Administrator roles or User roles to upload arbitrary files cause remote code execution by simply request it.   ##################################################### EXPLOIT POC     1. Log On User account (Author) account 2. Access /podhawk/podhawk/index.php?page=record1 3. Upload a file to the upload folder via "Browse" 4. Upload PHP shell (shell.php) and upload it 5. For access shell, https://target/podhawk/upload/shell.php 6. Server Compromised !!