Update nextcheck.sh

2025-12-07 05:28:30 +00:00
parent 52b407994c
commit 3418bcaffd
1 changed files with 55 additions and 31 deletions
--- a/nextcheck.sh
+++ b/nextcheck.sh
@@ -1,57 +1,81 @@
 #!/bin/bash

-# 1. PRE-FLIGHT CHECK: Ensure Docker is running and accessible
+# 1. PRE-FLIGHT CHECK
 if ! docker ps >/dev/null 2>&1; then
-    echo -e "\033[31m[ERROR]\033[0m Cannot connect to Docker daemon."
-    echo "         Try running this script with 'sudo'."
+    echo -e "\033[31m[ERROR]\033[0m Cannot connect to Docker daemon. Use 'sudo'."
    exit 1
 fi

 # Counters
 TOTAL_SCANNED=0
 NODE_CONTAINERS=0
-VULNERABLE_COUNT=0
+VULN_RCE=0     # React2Shell (RCE)
+VULN_AUTH=0    # Middleware Bypass

-echo "========================================================"
-echo "   Next.js Vulnerability Scanner (CVE-2025-55182)       "
-echo "========================================================"
+echo "=============================================================================="
+echo "   Next.js & React Vulnerability Scanner (CVE-2025-55182 / 66478 / 29927)     "
+echo "=============================================================================="
+echo "TARGET: RCE (Next.js 15+, React 19+) & Auth Bypass (Next.js <14.2.25)"
+echo "------------------------------------------------------------------------------"

-# We use Process Substitution < <(...) instead of a pipe | 
-# This ensures the loop runs in the current shell, preserving variables.
 while IFS='|' read -r id name; do
    ((TOTAL_SCANNED++))
    
-    # Optional: Progress indicator (uncomment if you have many containers)
-    # echo -ne "Scanning: $name\r"
-    
    # 2. HEURISTIC: Is this a Node environment?
-    # We check for package.json in standard paths or the 'node' binary
    is_node=$(docker exec "$id" sh -c "test -f /app/package.json || test -f /usr/src/app/package.json || command -v node" 2>/dev/null && echo "yes" || echo "no")
    
    if [ "$is_node" == "yes" ]; then
        ((NODE_CONTAINERS++))
        
-        # 3. VERSION CHECK
-        # Method A: Grep package.json
-        version_check=$(docker exec "$id" grep -Po '"next":\s*"\^?\K[0-9.]+' /app/package.json 2>/dev/null)
+        # 3. VERSION EXTRACTION
+        # We try to grep versions from package.json output (more reliable than npm list in some containers)
+        # We read the file once to a variable to save docker exec calls
+        pkg_content=$(docker exec "$id" cat /app/package.json /usr/src/app/package.json 2>/dev/null)
        
-        # Method B: Check for Standalone server
-        is_standalone=$(docker exec "$id" ls /app/.next/standalone/server.js 2>/dev/null)
+        # Extract versions using grep (matches "next": "^14.2.21" -> 14.2.21)
+        next_ver=$(echo "$pkg_content" | grep -Po '"next":\s*"\^?\K[0-9.]+' | head -n1)
+        react_ver=$(echo "$pkg_content" | grep -Po '"react":\s*"\^?\K[0-9.]+' | head -n1)
+        
+        # 4. VULNERABILITY LOGIC
+        status=""
+        
+        # CHECK 1: RCE (React2Shell) - Next.js 15+ OR React 19+
+        if [[ "$next_ver" =~ ^15\. ]] || [[ "$next_ver" =~ ^16\. ]] || [[ "$react_ver" =~ ^19\. ]]; then
+            status="\033[31m[CRITICAL RCE]\033[0m"
+            ((VULN_RCE++))
+            
+        # CHECK 2: Middleware Auth Bypass - Next.js 14.x < 14.2.25
+        # Logic: Starts with 14., and subversion comparison (simplified for bash)
+        elif [[ "$next_ver" =~ ^14\. ]]; then
+             # Extract minor and patch: 14.2.21 -> minor=2, patch=21
+             minor=$(echo "$next_ver" | cut -d. -f2)
+             patch=$(echo "$next_ver" | cut -d. -f3)
+             
+             # Vulnerable if 14.0.x - 14.1.x OR (14.2.x AND patch < 25)
+             if [ "$minor" -lt 2 ] || { [ "$minor" -eq 2 ] && [ "$patch" -lt 25 ]; }; then
+                 status="\033[33m[HIGH AUTH BYPASS]\033[0m"
+                 ((VULN_AUTH++))
+             else
+                 status="\033[32m[SAFE]\033[0m"
+             fi
+             
+        elif [[ ! -z "$next_ver" ]]; then
+             status="\033[32m[SAFE]\033[0m" # Older versions (13, 12) usually safe from these specific CVEs
+        fi

-        if [[ ! -z "$version_check" ]]; then
-            echo -e "[\033[31mVULN\033[0m] $name \t-> Next.js $version_check"
-            ((VULNERABLE_COUNT++))
-        elif [[ ! -z "$is_standalone" ]]; then
-            echo -e "[\033[33mWARN\033[0m] $name \t-> Detected (Standalone Mode) - Check manually"
-            ((VULNERABLE_COUNT++))
+        # 5. OUTPUT
+        if [[ ! -z "$next_ver" ]]; then
+            echo -e "$status $name"
+            echo -e "       Next.js: $next_ver  |  React: ${react_ver:-Unknown}"
        fi
    fi
 done < <(docker ps --format '{{.ID}}|{{.Names}}')

-echo -e "\n========================================================"
-echo "SCAN COMPLETE"
-echo "--------------------------------------------------------"
-echo "Total Containers Scanned: $TOTAL_SCANNED"
-echo "Node/JS Environments:     $NODE_CONTAINERS"
-echo "Next.js Apps Found:       $VULNERABLE_COUNT"
-echo "========================================================"
+echo "=============================================================================="
+echo "SCAN SUMMARY"
+echo "------------------------------------------------------------------------------"
+echo "Containers Scanned:   $TOTAL_SCANNED"
+echo "Node Environments:    $NODE_CONTAINERS"
+echo "RCE Vulnerable:       $VULN_RCE (React2Shell)"
+echo "Auth Vulnerable:      $VULN_AUTH (Middleware Bypass)"
+echo "=============================================================================="