-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathreact2scan.sh
More file actions
executable file
·145 lines (120 loc) · 3.47 KB
/
react2scan.sh
File metadata and controls
executable file
·145 lines (120 loc) · 3.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#!/bin/bash
#
# This script is a lightweight proof‑of‑concept scanner designed to help
# vulnerability management teams identify systems potentially affected by
# React2Shell‑related error handling issues (referenced as CVE‑2025‑55182 / CVE‑2025‑66478)
#
# http://www.rootandbeer.com
# http://www.github.com/rootandbeer
#
DEFAULT_PORT=8443
PORT="$DEFAULT_PORT"
TARGET_INPUT=""
# Parse flags
while [[ $# -gt 0 ]]; do
case "$1" in
-p|--port)
PORT="$2"
shift 2
;;
*)
TARGET_INPUT="$1"
shift
;;
esac
done
echo "[*] React2Shell Detection Probe (CVE‑2025‑55182 / CVE‑2025‑66478)"
echo "[*] https://www.rootandbeer.com"
echo ""
echo "[*] Default Port: $DEFAULT_PORT"
echo ""
BOUNDARY="----WebKitFormBoundaryx8jO2oVc6SWP3Sad"
BODY=$(cat <<EOF
--${BOUNDARY}
Content-Disposition: form-data; name="1"
{}
--${BOUNDARY}
Content-Disposition: form-data; name="0"
["\$1:a:a"]
--${BOUNDARY}--
EOF
)
#############################################
# Scanner
#############################################
scan_target() {
local URL="$1"
echo "[*] Target: $URL"
RESPONSE=$(curl -s --max-time 3 -w "\n%{http_code}" \
-X POST "$URL" \
-H "Next-Action: x" \
-H "Content-Type: multipart/form-data; boundary=${BOUNDARY}" \
--data-binary "${BODY}" \
2>&1)
HTTP_CODE=$(echo "$RESPONSE" | tail -n1)
BODY_RESPONSE=$(echo "$RESPONSE" | sed '$d')
if [[ "${HTTP_CODE}" == "500" ]] && echo "${BODY_RESPONSE}" | grep -q 'E{"digest"'; then
echo "[!] VULNERABLE"
elif [[ "${HTTP_CODE}" == "500" ]]; then
echo "[?] UNKNOWN 500"
else
echo "[+] Not vulnerable (HTTP ${HTTP_CODE})"
fi
echo ""
}
#############################################
# Subnet expansion without nmap
#############################################
expand_cidr() {
local cidr="$1"
local ip=$(echo "$cidr" | cut -d/ -f1)
local mask=$(echo "$cidr" | cut -d/ -f2)
IFS='.' read -r i1 i2 i3 i4 <<< "$ip"
if [[ "$mask" != "24" ]]; then
echo "[-] Only /24 CIDR supported in this simple expander"
exit 1
fi
for last in $(seq 1 254); do
echo "$i1.$i2.$i3.$last"
done
}
expand_range() {
local range="$1"
local base=$(echo "$range" | cut -d. -f1-3)
local start=$(echo "$range" | awk -F. '{print $4}' | cut -d- -f1)
local end=$(echo "$range" | awk -F. '{print $4}' | cut -d- -f2)
for i in $(seq "$start" "$end"); do
echo "$base.$i"
done
}
#############################################
# Input routing
#############################################
if [[ -z "$TARGET_INPUT" ]]; then
echo "Usage:"
echo " $0 host"
echo " $0 192.168.1.0/24"
echo " $0 ips.txt"
echo " Optional: -p <port>"
exit 1
fi
if [[ -f "$TARGET_INPUT" ]]; then
echo "[*] Loading from file"
while read -r ip; do
[[ -z "$ip" ]] && continue
scan_target "http://$ip:$PORT"
done < "$TARGET_INPUT"
elif [[ "$TARGET_INPUT" =~ ^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/24$ ]]; then
echo "[*] Expanding CIDR $TARGET_INPUT"
for ip in $(expand_cidr "$TARGET_INPUT"); do
scan_target "http://$ip:$PORT"
done
elif [[ "$TARGET_INPUT" =~ - ]]; then
echo "[*] Expanding range $TARGET_INPUT"
for ip in $(expand_range "$TARGET_INPUT"); do
scan_target "http://$ip:$PORT"
done
else
echo "[*] Scanning single host"
scan_target "http://$TARGET_INPUT:$PORT"
fi