README.md
Rendering markdown...
#!/usr/bin/env bash
#
# reset-lab.sh - restore the Mercator lab to a pristine state between
# ssrf2redis.py runs, so the SSRF -> Redis -> webshell chain can be
# re-tested as a true one-shot.
#
# Steps:
# 1. ensure the colocated redis-poc container is running
# 2. delete the dropped PHP webshell from the Mercator webroot
# 3. reset Redis (FLUSHALL + dir/dbfilename back to defaults) - a stale
# `dir` left pointing at the webroot would let a degenerate exploit
# "succeed" without doing CONFIG SET itself, i.e. a false positive
# 4. verify the lab is clean (webshell -> HTTP 404)
#
# Only the named webshell artifact is ever removed - Mercator's own files
# (index.php, ...) are never touched.
#
# Usage: ./reset-lab.sh [webshell-name] (default: poc.php)
#
set -euo pipefail
VM="mercator-lab"
REDIS_CTR="redis-poc"
WEBROOT="/var/www/mercator/public"
BASE="http://127.0.0.1:8000"
SHELL_NAME="${1:-poc.php}"
echo "[*] Resetting Mercator lab (artifact: ${SHELL_NAME})"
# 1. ensure redis-poc is up
if [ -z "$(orb -m "$VM" docker ps -q -f "name=^${REDIS_CTR}$")" ]; then
echo "[*] ${REDIS_CTR} is down -> starting it"
orb -m "$VM" docker start "$REDIS_CTR" >/dev/null
fi
# 2. delete the webshell artifact (exact name only)
orb -m "$VM" bash -lc "rm -fv '${WEBROOT}/${SHELL_NAME}'" \
| sed 's/^/ removed: /' || true
# 3. reset Redis to pristine defaults
rcli() { orb -m "$VM" docker exec "$REDIS_CTR" redis-cli "$@"; }
rcli FLUSHALL >/dev/null
rcli CONFIG SET dir /data >/dev/null
rcli CONFIG SET dbfilename dump.rdb >/dev/null
echo "[+] Redis flushed (dbsize=$(rcli DBSIZE)), dir/dbfilename reset to defaults"
# 4. verify clean state
code="$(curl -s -o /dev/null -w '%{http_code}' "${BASE}/${SHELL_NAME}")"
if [ "$code" = "404" ]; then
echo "[+] Clean: ${BASE}/${SHELL_NAME} -> 404"
echo "[+] Lab reset complete - ready for a fresh exploit run"
else
echo "[-] WARNING: ${BASE}/${SHELL_NAME} -> ${code} (expected 404)"
exit 1
fi