[quote="fironeDerbert" pid="117885" dateline="1656792596"][quote="Exa" pid="117869" dateline="1656792178"]When I'm adding (and encoding) to the pdf parameter of /admin/download.php, I'm getting an incoming request to my Python server.[/quote]From you or from the taget ?[/quote]From the target. It's SSRF.[code]nc -l -p 80 -n -vlistening on [any] 80 ...connect to [10.10.14.xxx] from (UNKNOWN) [10.129.91.xxx] 43414GET / HTTP/1.0Host: 10.10.14.xxxConnection: close[/code]

[quote="Exa" pid="117896" dateline="1656793059"][quote="fironeDerbert" pid="117885" dateline="1656792596"][quote="Exa" pid="117869" dateline="1656792178"]When I'm adding (and encoding) to the pdf parameter of /admin/download.php, I'm getting an incoming request to my Python server.[/quote]From you or from the taget ?[/quote]From the target. It's SSRF.[code]nc -l -p 80 -n -vlistening on [any] 80 ...connect to [10.10.14.xxx] from (UNKNOWN) [10.129.91.xxx] 43414GET / HTTP/1.0Host: 10.10.14.xxxConnection: close[/code][/quote]From the page it is using mPDF 6.0 which is vulnerable to CVE-2019-1000005POC Video here[code]https://www.youtube.com/watch?v=tbjtfGvym4M[/code]Trying to get code execution

[quote="langetmama11" pid="117925" dateline="1656794556"][quote="Exa" pid="117896" dateline="1656793059"][quote="fironeDerbert" pid="117885" dateline="1656792596"][quote="Exa" pid="117869" dateline="1656792178"]When I'm adding (and encoding) to the pdf parameter of /admin/download.php, I'm getting an incoming request to my Python server.[/quote]From you or from the taget ?[/quote]From the target. It's SSRF.[code]nc -l -p 80 -n -vlistening on [any] 80 ...connect to [10.10.14.xxx] from (UNKNOWN) [10.129.91.xxx] 43414GET / HTTP/1.0Host: 10.10.14.xxxConnection: close[/code][/quote]From the page it is using mPDF 6.0 which is vulnerable to CVE-2019-1000005POC Video here[code]https://www.youtube.com/watch?v=tbjtfGvym4M[/code]Trying to get code execution[/quote]Succeeded in RCE ?

For file readhttps://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f

[quote="Bumper111" pid="117987" dateline="1656798013"]For file readhttps://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f[/quote]mPDF Error: Cannot access file attachment - \”/etc/passwd\”

[quote="Bumper111" pid="117987" dateline="1656798013"]For file readhttps://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f[/quote]Doesn't work for me, mPDF can't access the file apparently

[quote="Bumper111" pid="117987" dateline="1656798013"]For file readhttps://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f[/quote]Nice, this one works for me. Minus the backslashes:

Hmmm can't seem to find any rsa key

SSH for user: developer

[quote="Exa" pid="118005" dateline="1656799398"][quote="Bumper111" pid="117987" dateline="1656798013"]For file readhttps://medium.com/@jonathanbouman/local-file-inclusion-at-ikea-com-e695ed64d82f[/quote]Nice, this one works for me. Minus the backslashes:[/quote]Sending it base64'd via /admin/download.php or adding entry in faculty.php?