Splint3r7 · March 29, 2021 17:17
diff --git a/ssrf_wkhtmltopdf.php b/ssrf_wkhtmltopdf.php
 <?php

 # Before starting this lab make sure wkhtmltopdf is installed.

 header("Content-Type: text/html");

 $bad = "script";

 $param = $_GET["xss"];
 echo "Printing your payload on pdf file sur ;_;</br>";

 // Test if string contains the word 

 if(strpos($param, $bad) !== false){

    echo "</br>you blacklisted-bitch no scripts";
    exit;

 } else{

        # Used str_ireplace to check case-sensitive script combinations

        $param = str_ireplace($bad, "", $param);
    $fp = fopen('test.html', 'w');
        fwrite($fp, $param);
        fclose($fp);

 }

 $html_file_url = 'test.html';
 $pdf_file_url = 'test.pdf';
 $cmd = "/usr/bin/wkhtmltopdf $html_file_url $pdf_file_url";
 shell_exec($cmd);
 echo "</br><br>Your PDF is ready <a href='read.php'>Your PDF :)</a>";

 ?>
	<?php

	# Before starting this lab make sure wkhtmltopdf is installed.

	header("Content-Type: text/html");

	$bad = "script";

	$param = $_GET["xss"];
	echo "Printing your payload on pdf file sur ;_;</br>";

	// Test if string contains the word

	if(strpos($param, $bad) !== false){

	echo "</br>you blacklisted-bitch no scripts";
	exit;

	} else{

	# Used str_ireplace to check case-sensitive script combinations

	$param = str_ireplace($bad, "", $param);
	$fp = fopen('test.html', 'w');
	fwrite($fp, $param);
	fclose($fp);

	}

	$html_file_url = 'test.html';
	$pdf_file_url = 'test.pdf';
	$cmd = "/usr/bin/wkhtmltopdf $html_file_url $pdf_file_url";
	shell_exec($cmd);
	echo "</br><br>Your PDF is ready <a href='read.php'>Your PDF :)</a>";

	?>