关联漏洞
介绍
# overview
after reading write up of @zhero___ in his personal blogpost i decide to build this CTF to learn how things work and after that i decide to share it with anybody who wants to learn how exploit this vulnerability so Big shout out to zhero & inzo_ and you can find their blogpost here : "https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware"
## Goal
you should bypass the middlware and find the flag in admin page aslo you can read amazing assetnote research : "https://www.assetnote.io/resources/research/doing-the-due-diligence-analyzing-the-next-js-middleware-bypass-cve-2025-29927" that help you bypass it faster
## Getting Started
1. Clone the repository:
```bash
git clone https://github.com/pouriam23/Next.js-Middleware-Bypass-CVE-2025-29927-.git
cd Next.js-Middleware-Bypass-CVE-2025-29927-
```
2. Install dependencies:
```bash
npm install
# or
yarn install
```
3. Set up environment variables:
Create a `.env` file in the root directory and add the following:
```env
DATABASE_URL="your-database-url"
JWT_SECRET="your-jwt-secret"
```
4. Initialize the database:
```bash
npx prisma generate
npx prisma db push
```
## Running the CTF
Development mode:
```bash
npm run dev
# or
yarn dev
```
文件快照
[4.0K] /data/pocs/c3c01ea4a5d31361a0184dd0406786abef2907e3
├── [ 448] components.json
├── [ 91] next.config.mjs
├── [ 228] next-env.d.ts
├── [1.1K] package.json
├── [229K] package-lock.json
├── [ 135] postcss.config.mjs
├── [4.0K] prisma
│ ├── [4.0K] migrations
│ │ ├── [4.0K] 20250420204712_init
│ │ │ └── [ 371] migration.sql
│ │ └── [ 128] migration_lock.toml
│ └── [ 623] schema.prisma
├── [1.2K] README.md
├── [4.0K] src
│ ├── [4.0K] app
│ │ ├── [4.0K] admin
│ │ │ └── [ 646] page.tsx
│ │ ├── [4.0K] api
│ │ │ └── [4.0K] auth
│ │ │ ├── [4.0K] login
│ │ │ │ └── [1.5K] route.ts
│ │ │ └── [4.0K] register
│ │ │ └── [1.3K] route.ts
│ │ ├── [4.0K] dashboard
│ │ │ └── [2.5K] page.tsx
│ │ ├── [ 25K] favicon.ico
│ │ ├── [4.0K] fonts
│ │ │ ├── [ 66K] GeistMonoVF.woff
│ │ │ └── [ 65K] GeistVF.woff
│ │ ├── [1.7K] globals.css
│ │ ├── [ 742] layout.tsx
│ │ ├── [4.0K] login
│ │ │ └── [5.6K] page.tsx
│ │ ├── [ 250] page.tsx
│ │ └── [4.0K] signup
│ │ └── [6.8K] page.tsx
│ ├── [4.0K] components
│ │ └── [4.0K] ui
│ │ ├── [1.9K] button.tsx
│ │ ├── [1.8K] card.tsx
│ │ ├── [4.0K] form.tsx
│ │ ├── [ 768] input.tsx
│ │ └── [ 724] label.tsx
│ ├── [4.0K] generated
│ │ └── [4.0K] prisma
│ │ ├── [ 23] client.d.ts
│ │ ├── [ 36] client.js
│ │ ├── [ 23] default.d.ts
│ │ ├── [ 36] default.js
│ │ ├── [ 25] edge.d.ts
│ │ ├── [7.0K] edge.js
│ │ ├── [6.1K] index-browser.js
│ │ ├── [ 69K] index.d.ts
│ │ ├── [7.2K] index.js
│ │ ├── [3.8K] package.json
│ │ ├── [4.0K] runtime
│ │ │ ├── [164K] edge-esm.js
│ │ │ ├── [164K] edge.js
│ │ │ ├── [ 11K] index-browser.d.ts
│ │ │ ├── [ 34K] index-browser.js
│ │ │ ├── [116K] library.d.ts
│ │ │ ├── [196K] library.js
│ │ │ ├── [177K] react-native.js
│ │ │ └── [127K] wasm.js
│ │ ├── [ 634] schema.prisma
│ │ ├── [ 23] wasm.d.ts
│ │ └── [6.1K] wasm.js
│ ├── [4.0K] lib
│ │ ├── [1.6K] auth.ts
│ │ ├── [ 166] utils.ts
│ │ └── [4.0K] validations
│ │ └── [1.3K] auth.ts
│ └── [1.2K] middleware.ts
├── [1.6K] tailwind.config.ts
└── [ 578] tsconfig.json
21 directories, 54 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。