import subprocess

paths = [
    'web.config', 'Web.config', 'Global.asax', 'elmah.axd', 'trace.axd',
    'iisstart.htm', '_vti_bin/', 'aspnet_client/', 'Telerik.Web.UI.WebResource.axd',
    'ScriptResource.axd', 'WebResource.axd', 'bin/', 'App_Data/', 'packages.config',
    'appsettings.json', 'appsettings.Development.json', 'swagger/index.html',
    'swagger/v1/swagger.json', 'api/swagger.json', '.env', '.git/config',
    '.git/HEAD', 'robots.txt', 'sitemap.xml', 'crossdomain.xml',
    'clientaccesspolicy.xml', '.well-known/security.txt', 'security.txt'
]

results = []
for path in paths:
    url = f'https://www.realwave.com/{path}'
    r = subprocess.run(['curl', '-s', '-o', '/dev/null', '-w', '%{http_code}', url],
                       capture_output=True, text=True, timeout=15)
    code = r.stdout.strip()
    marker = ''
    if code == '200':
        marker = ' *** ACCESSIBLE ***'
    elif code == '403':
        marker = ' [forbidden but exists]'
    line = f'/{path:<50} {code}{marker}'
    results.append(line)
    print(line)

with open('phase9-results.txt', 'w') as f:
    f.write('=== PHASE 9: IIS/ASP.NET PATH FUZZING ===\n\n')
    hdr = 'PATH' + ' ' * 48 + 'STATUS'
    f.write(hdr + '\n')
    f.write('-' * 70 + '\n')
    for r in results:
        f.write(r + '\n')
    
    f.write('\n=== Content of accessible paths ===\n')
    for path in paths:
        url = f'https://www.realwave.com/{path}'
        r = subprocess.run(['curl', '-s', url], capture_output=True, text=True, timeout=15)
        body = r.stdout
        # Only show if it's NOT the Angular SPA and we got content
        if body and 'RealWave AI' not in body[:300] and len(body) > 10:
            f.write(f'\n--- /{path} (unique content) ---\n')
            f.write(body[:500] + '\n')

print("\nDone. Results saved to phase9-results.txt")