来源

关联漏洞

描述

CVE-2025-29927 PoC | Auth Bypass Exploit | Python Tool using httpx | Middleware Vulnerability | Ethical Hacking Toolkit

介绍

# Thank u Next – CVE-2025-29927 Exploit Tool

## 🧠 What is CVE-2025-29927?

> It’s not just a bypass — it’s a revelation. A single header, misunderstood and mishandled by middleware logic, becomes a master key to what was meant to be locked.
> CVE-2025-29927 exploits a **misconfigured middleware authorization layer** — specifically, systems that trust the header `x-middleware-subrequest` without validating the origin or context.

In simple terms?
You add a single header, and boom — you're in. No auth. No tokens. Just raw dominance.

---

## 🚀 How the Exploit Works (Technical Breakdown)

1. **Vulnerability Origin:**
   Many modern web apps use middleware to intercept and handle API requests. This header:

   ```plaintext
   x-middleware-subrequest: middleware
   ```

   is trusted by some frameworks (🤦), especially when deployed lazily. When present, the backend assumes the request has *already* passed authentication layers.

2. **Exploit Vector:**
   By crafting a request **with that header**, attackers can **bypass auth controls** and directly reach protected routes (e.g., `/api/private`, `/admin/dashboard`, etc).

3. **HTTP Methods:**
   The tool supports GET, POST, PUT, DELETE, PATCH. Because we’re not just curious — we’re thorough.

---

## 🛠️ Script Overview

Filename: `thank_u_next.py`

```bash
python thank_u_next.py -u https://target.com -p /api/private -m GET
```

**Core Components:**

| Component   | Purpose                                       |
| ----------- | --------------------------------------------- |
| `payload`   | Injects the vulnerability-triggering header   |
| `exploit()` | Sends the malicious request                   |
| `analyze()` | Prints status and highlights if bypass worked |
| `banner()`  | Shows a flashy ASCII intro (because why not)  |

---

## ⚡ Requirements

* Python 3.7+
* [`httpx`](https://www.python-httpx.org/) (install via `pip install httpx`)

---

## ✅ Example Output

```bash
[+] GET https://target.com/api/private → HTTP 200
[!] Possible vulnerability: access granted without authentication
```

You see that green 200?
That’s not just a response code. That’s **your victory.**
Their mistake, your access.

---

## ❗ Legal Warning

> This script is for **educational and authorized testing only**.
> If you use this on unauthorized targets, you’re not a hacker — you’re just dumb. And you *will* get caught.

---

## 🧠 Final Thoughts

> Most people are sheep.
> Be the wolf. The one who *knows* where the gate is, and how to walk through it without knocking.
> If you're reading this and still don't get it — you're not meant to.

文件快照

 [4.0K]  /data/pocs/f8842adc62826a69e24b19cfe8c3fca73fbd3460
├── [ 34K]  LICENSE
├── [2.6K]  README.md
├── [ 100]  requirements.txt
└── [4.0K]  thank_u_next.py

0 directories, 4 files

备注