HTTP Request Smuggling in ASP.NET Core Kestrel

This repository is a comprehensive proof-of-concept (PoC) for CVE-2025-55315, a .NET Kestrel HTTP request smuggling vulnerability. The project is structured into several components: - **Api/**: Contains an ASP.NET Core API with two Dockerfiles: one for a vulnerable build (using .NET 10.0.100-rc.1) and one for a patched build (using .NET 10.0.100). The API exposes endpoints such as `/passwords/{username}`, `/passwords` (POST), and `/health`. - **PythonProxy/**: Implements a custom Python HTTP proxy (`proxy_server.py`) that demonstrates the vulnerability by favoring the `Content-Length` header over `Transfer-Encoding` when both are present, which is the root cause of the request smuggling issue. The proxy blocks direct requests to `/passwords/admin` but can be bypassed via a crafted HTTP request that exploits the parsing discrepancy. - **YarpProxy/**: Provides a YARP-based reverse proxy for load balancing, not directly involved in the exploit but useful for testing. - **docker-compose.yml**: Orchestrates all services, exposing them on different localhost ports (5001 for Unsafe API, 5002 for Safe API, 5027 for PythonProxy, 5028 for YarpProxy). The exploit works by sending a specially crafted HTTP request to the PythonProxy, which is then parsed differently by the proxy and the backend server, allowing a hidden request to `/passwords/admin` to be executed on the vulnerable backend. The repository includes detailed documentation, usage instructions, and sample exploit payloads. No fake or detection-only scripts are present; the code is a functional exploit PoC for the specified CVE.

This repository provides a professional penetration testing tool for exploiting CVE-2025-55315, a critical HTTP Request Smuggling vulnerability in Microsoft ASP.NET Core Kestrel web server (versions 3.0 through 9.0.9). The repository contains two files: a detailed README.md (documentation, usage, and legal warnings) and the main exploit script cve_2025_55315_PoC.py (Python 3). The exploit script is a single-target tool that performs reconnaissance, auto-discovers common ASP.NET Core endpoints, tests for the vulnerability, and can extract sensitive files (such as web.config) or upload a webshell for remote code execution. It supports both HTTP and HTTPS, custom ports, and provides detailed reporting. The tool is operational, requiring user confirmation for destructive actions, and is intended for authorized security testing only. The main attack vector is network-based, targeting HTTP(S) endpoints on the vulnerable server. The script does not rely on external dependencies and is suitable for use by penetration testers, researchers, and system administrators.

This repository contains a comprehensive Python exploit and research tool for CVE-2025-55315, a critical HTTP Request Smuggling vulnerability in Microsoft's ASP.NET Core Kestrel Web Server. The main file, 'CVE-2025-55315漏洞利用研究.py', is a large, feature-rich script that provides both vulnerability detection and exploitation capabilities. It supports multiple attack modes, including privilege escalation, information disclosure, data tampering, denial of service, and advanced payload delivery. The script is highly configurable, supporting stealth mode, proxy usage, multi-threading, and randomized user agents for evasion. It interacts with public vulnerability intelligence APIs (NVD, CISA, GitHub) for enrichment and reporting. The README provides usage instructions and legal disclaimers. No hardcoded target endpoints are present; the script is designed to be run against user-supplied URLs. The exploit is operational, with customizable payloads and attack vectors, and is suitable for both research and authorized penetration testing.