#!/bin/bash
# CodePress CMS Penetration Test Script
# WARNING: Only run this on systems you have permission to test!

TARGET="http://localhost:8080"
RESULTS_FILE="pentest_results.txt"

echo "🔒 CodePress CMS Penetration Test" > $RESULTS_FILE
echo "Target: $TARGET" >> $RESULTS_FILE
echo "Date: $(date)" >> $RESULTS_FILE
echo "========================================" >> $RESULTS_FILE
echo "" >> $RESULTS_FILE

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

vulnerable_count=0
safe_count=0

test_vulnerability() {
    local test_name="$1"
    local url="$2"
    local search_pattern="$3"
    local is_vulnerable="$4"
    
    echo -n "Testing: $test_name..."
    response=$(curl -s "$url")
    
    if echo "$response" | grep -q "$search_pattern"; then
        if [ "$is_vulnerable" = "true" ]; then
            echo -e "${RED}[VULNERABLE]${NC} ❌"
            echo "[VULNERABLE] $test_name - $url" >> $RESULTS_FILE
            ((vulnerable_count++))
        else
            echo -e "${GREEN}[SAFE]${NC} ✅"
            echo "[SAFE] $test_name - Pattern not found" >> $RESULTS_FILE
            ((safe_count++))
        fi
    else
        if [ "$is_vulnerable" = "true" ]; then
            echo -e "${GREEN}[SAFE]${NC} ✅"
            echo "[SAFE] $test_name - Attack blocked" >> $RESULTS_FILE
            ((safe_count++))
        else
            echo -e "${YELLOW}[UNKNOWN]${NC} ⚠️"
            echo "[UNKNOWN] $test_name - Unexpected response" >> $RESULTS_FILE
        fi
    fi
}

echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}1. XSS VULNERABILITY TESTS${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "1. XSS VULNERABILITY TESTS" >> $RESULTS_FILE
echo "----------------------------" >> $RESULTS_FILE

test_vulnerability \
    "XSS in page parameter" \
    "$TARGET/?page=<script>alert('XSS')</script>" \
    "<script>alert('XSS')</script>" \
    "true"

test_vulnerability \
    "XSS in search parameter" \
    "$TARGET/?search=<script>alert('XSS')</script>" \
    "<script>alert('XSS')</script>" \
    "true"

test_vulnerability \
    "XSS in lang parameter" \
    "$TARGET/?lang=<script>alert('XSS')</script>" \
    "<script>alert('XSS')</script>" \
    "true"

test_vulnerability \
    "XSS with HTML entities" \
    "$TARGET/?page=%3Cscript%3Ealert%281%29%3C%2Fscript%3E" \
    "<script>alert(1)</script>" \
    "true"

test_vulnerability \
    "XSS with SVG" \
    "$TARGET/?page=<svg/onload=alert(1)>" \
    "<svg/onload=alert(1)>" \
    "true"

test_vulnerability \
    "XSS with IMG tag" \
    "$TARGET/?page=<img src=x onerror=alert(1)>" \
    "<img src=x onerror=alert(1)>" \
    "true"

echo "" >> $RESULTS_FILE

echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}2. PATH TRAVERSAL TESTS${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "2. PATH TRAVERSAL TESTS" >> $RESULTS_FILE
echo "------------------------" >> $RESULTS_FILE

test_vulnerability \
    "Path traversal - basic" \
    "$TARGET/?page=../../../etc/passwd" \
    "root:" \
    "true"

test_vulnerability \
    "Path traversal - URL encoded" \
    "$TARGET/?page=..%2F..%2F..%2Fetc%2Fpasswd" \
    "root:" \
    "true"

test_vulnerability \
    "Path traversal - double encoding" \
    "$TARGET/?page=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd" \
    "root:" \
    "true"

test_vulnerability \
    "Path traversal - backslash" \
    "$TARGET/?page=..\\..\\..\\etc\\passwd" \
    "root:" \
    "true"

test_vulnerability \
    "Path traversal - mixed separators" \
    "$TARGET/?page=../..\\/../etc/passwd" \
    "root:" \
    "true"

test_vulnerability \
    "Path traversal - config access" \
    "$TARGET/?page=../engine/core/config" \
    "content_dir" \
    "true"

echo "" >> $RESULTS_FILE

echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}3. PHP CODE INJECTION TESTS${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "3. PHP CODE INJECTION TESTS" >> $RESULTS_FILE
echo "----------------------------" >> $RESULTS_FILE

test_vulnerability \
    "PHP wrapper - base64" \
    "$TARGET/?page=php://filter/read=convert.base64-encode/resource=index" \
    "PD9waHAgcmVxdWlyZV9vbmNl" \
    "true"

test_vulnerability \
    "Data URI PHP execution" \
    "$TARGET/?page=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==" \
    "PHP Version" \
    "true"

test_vulnerability \
    "Expect wrapper" \
    "$TARGET/?page=expect://id" \
    "uid=" \
    "true"

echo "" >> $RESULTS_FILE

echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}4. NULL BYTE INJECTION TESTS${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "4. NULL BYTE INJECTION TESTS" >> $RESULTS_FILE
echo "-----------------------------" >> $RESULTS_FILE

test_vulnerability \
    "Null byte in page" \
    "$TARGET/?page=../../../etc/passwd%00" \
    "root:" \
    "true"

test_vulnerability \
    "Null byte bypass extension" \
    "$TARGET/?page=test.txt%00.md" \
    "404" \
    "false"

echo "" >> $RESULTS_FILE

echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}5. COMMAND INJECTION TESTS${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "5. COMMAND INJECTION TESTS" >> $RESULTS_FILE
echo "---------------------------" >> $RESULTS_FILE

test_vulnerability \
    "Command injection in search" \
    "$TARGET/?search=test;whoami" \
    "uid=[0-9].*gid=[0-9]" \
    "true"

test_vulnerability \
    "Command injection with backticks" \
    "$TARGET/?search=\`whoami\`" \
    "uid=[0-9].*gid=[0-9]" \
    "true"

test_vulnerability \
    "Command injection with pipe" \
    "$TARGET/?search=test|whoami" \
    "uid=[0-9].*gid=[0-9]" \
    "true"

echo "" >> $RESULTS_FILE

echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}6. TEMPLATE INJECTION TESTS${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "6. TEMPLATE INJECTION TESTS" >> $RESULTS_FILE
echo "----------------------------" >> $RESULTS_FILE

test_vulnerability \
    "Mustache SSTI - basic" \
    "$TARGET/?page={{7*7}}" \
    "49" \
    "true"

test_vulnerability \
    "Mustache SSTI - complex" \
    "$TARGET/?page={{config}}" \
    "content_dir\|site_title" \
    "true"

echo "" >> $RESULTS_FILE

echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}7. HTTP HEADER INJECTION TESTS${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "7. HTTP HEADER INJECTION TESTS" >> $RESULTS_FILE
echo "-------------------------------" >> $RESULTS_FILE

echo -n "Testing: CRLF injection in lang..."
response=$(curl -s -I "$TARGET/?lang=nl%0d%0aX-Injected:header")
if echo "$response" | grep -q "X-Injected"; then
    echo -e "${RED}[VULNERABLE]${NC} ❌"
    echo "[VULNERABLE] CRLF injection - Header injection successful" >> $RESULTS_FILE
    ((vulnerable_count++))
else
    echo -e "${GREEN}[SAFE]${NC} ✅"
    echo "[SAFE] CRLF injection - Header injection blocked" >> $RESULTS_FILE
    ((safe_count++))
fi

echo "" >> $RESULTS_FILE

echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}8. INFORMATION DISCLOSURE TESTS${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "8. INFORMATION DISCLOSURE TESTS" >> $RESULTS_FILE
echo "--------------------------------" >> $RESULTS_FILE

echo -n "Testing: PHP version disclosure..."
response=$(curl -s -I "$TARGET/")
if echo "$response" | grep -q "X-Powered-By:"; then
    echo -e "${RED}[VULNERABLE]${NC} ❌"
    echo "[VULNERABLE] PHP version disclosed in headers" >> $RESULTS_FILE
    ((vulnerable_count++))
else
    echo -e "${GREEN}[SAFE]${NC} ✅"
    echo "[SAFE] PHP version hidden" >> $RESULTS_FILE
    ((safe_count++))
fi

test_vulnerability \
    "Directory listing" \
    "$TARGET/content/" \
    "Index of" \
    "true"

test_vulnerability \
    "Config file access" \
    "$TARGET/../config.json" \
    "site_title" \
    "true"

test_vulnerability \
    "Composer dependencies" \
    "$TARGET/vendor/composer/installed.json" \
    "\"name\":" \
    "true"

echo "" >> $RESULTS_FILE

echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}9. SECURITY HEADERS CHECK${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "9. SECURITY HEADERS CHECK" >> $RESULTS_FILE
echo "--------------------------" >> $RESULTS_FILE

headers=$(curl -s -I "$TARGET/")

echo -n "Testing: X-Frame-Options..."
if echo "$headers" | grep -q "X-Frame-Options:"; then
    echo -e "${GREEN}[PRESENT]${NC} ✅"
    echo "[PRESENT] X-Frame-Options header" >> $RESULTS_FILE
    ((safe_count++))
else
    echo -e "${RED}[MISSING]${NC} ❌"
    echo "[MISSING] X-Frame-Options header" >> $RESULTS_FILE
    ((vulnerable_count++))
fi

echo -n "Testing: Content-Security-Policy..."
if echo "$headers" | grep -q "Content-Security-Policy:"; then
    echo -e "${GREEN}[PRESENT]${NC} ✅"
    echo "[PRESENT] Content-Security-Policy header" >> $RESULTS_FILE
    ((safe_count++))
else
    echo -e "${RED}[MISSING]${NC} ❌"
    echo "[MISSING] Content-Security-Policy header" >> $RESULTS_FILE
    ((vulnerable_count++))
fi

echo -n "Testing: X-Content-Type-Options..."
if echo "$headers" | grep -q "X-Content-Type-Options:"; then
    echo -e "${GREEN}[PRESENT]${NC} ✅"
    echo "[PRESENT] X-Content-Type-Options header" >> $RESULTS_FILE
    ((safe_count++))
else
    echo -e "${RED}[MISSING]${NC} ❌"
    echo "[MISSING] X-Content-Type-Options header" >> $RESULTS_FILE
    ((vulnerable_count++))
fi

echo "" >> $RESULTS_FILE

echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}10. DOS VULNERABILITY TESTS${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "10. DOS VULNERABILITY TESTS" >> $RESULTS_FILE
echo "---------------------------" >> $RESULTS_FILE

echo -n "Testing: Large parameter DOS..."
long_param=$(python3 -c "print('A'*10000)")
response=$(curl -s -w "%{http_code}" -o /dev/null "$TARGET/?page=$long_param")
if [ "$response" = "200" ] || [ "$response" = "500" ]; then
    echo -e "${YELLOW}[POTENTIAL]${NC} ⚠️"
    echo "[POTENTIAL] Large parameter DOS - Server responded with $response" >> $RESULTS_FILE
else
    echo -e "${GREEN}[SAFE]${NC} ✅"
    echo "[SAFE] Large parameter DOS - Rejected with $response" >> $RESULTS_FILE
    ((safe_count++))
fi

echo "" >> $RESULTS_FILE

# Summary
echo -e "\n${YELLOW}========================================${NC}"
echo -e "${YELLOW}PENETRATION TEST SUMMARY${NC}"
echo -e "${YELLOW}========================================${NC}\n"
echo "PENETRATION TEST SUMMARY" >> $RESULTS_FILE
echo "=========================" >> $RESULTS_FILE

total=$((vulnerable_count + safe_count))
echo -e "Total tests: $total"
echo -e "${RED}Vulnerabilities found: $vulnerable_count${NC}"
echo -e "${GREEN}Safe tests: $safe_count${NC}"

echo "" >> $RESULTS_FILE
echo "Total tests: $total" >> $RESULTS_FILE
echo "Vulnerabilities found: $vulnerable_count" >> $RESULTS_FILE
echo "Safe tests: $safe_count" >> $RESULTS_FILE

if [ $vulnerable_count -gt 0 ]; then
    echo -e "\n${RED}⚠️  VULNERABILITIES DETECTED! Review $RESULTS_FILE for details.${NC}"
else
    echo -e "\n${GREEN}✅ All tests passed! System appears secure.${NC}"
fi

echo -e "\n📄 Full results saved to: $RESULTS_FILE"