Drupal w/ wkhtmltopdf
Introduction
Have a drupal site?
Need to generate PDF copies of pages?
The ‘Print’ Module will help you. It has with ~60,000 other victims users.
The print module supports four backend PDF generation tools.
This PoC focuses on the ‘wkhtmltopdf’ backend.
Instructions
- Review the code for the wkhtmltopdf sub-module at print_pdf_wkhtmltopdf.pages.inc
- Execution of the function
print_pdf_wkhtmltopdf_print_pdf_generate
occurs as a result ofcurl http://localhost:12100/printpdf/1
- Note: caching issues exist, incrementing node (1 in the above curl request) forces a fresh request
- Execution of the function
- Understand how the function
print_pdf_wkhtmltopdf_print_pdf_generate
works, figure out how to exploit - Vulnerability is public, no gooling of vulnerability specifics (that’s cheating!)
- Research on function calls, what they do and how they work is ok though.
- Get Shell
Sectalks setup
A digital ocean box has been setup. Use port range 30000-30020. Once compromised please do not trash containers. However, dumping the DB / stealing configs is cool.
Local Setup
git clone https://github.com/yoloClin/sectalks_print
cd sectalks_print
bash ./setup.sh
curl localhost:12100/print/1
Digital Ocean setup
Follow ‘Local Setup’ but use docean-setup.sh