Splint3r7/ssrf_wkhtmltopdf.php

## ssrf_wkhtmltopdf.php
<?php

# Before starting this lab make sure wkhtmltopdf is installed.

header("Content-Type: text/html");

$bad = "script";

$param = $_GET["xss"];
echo "Printing your payload on pdf file sur ;_;</br>";

// Test if string contains the word

if(strpos($param, $bad) !== false){

    echo "</br>you blacklisted-bitch no scripts";
    exit;

} else{

        # Used str_ireplace to check case-sensitive script combinations

        $param = str_ireplace($bad, "", $param);
    $fp = fopen('test.html', 'w');
        fwrite($fp, $param);
        fclose($fp);

}

$html_file_url = 'test.html';
$pdf_file_url = 'test.pdf';
$cmd = "/usr/bin/wkhtmltopdf $html_file_url $pdf_file_url";
shell_exec($cmd);
echo "</br><br>Your PDF is ready <a href='read.php'>Your PDF :)</a>";

?>
	<?php

	# Before starting this lab make sure wkhtmltopdf is installed.

	header("Content-Type: text/html");

	$bad = "script";

	$param = $_GET["xss"];
	echo "Printing your payload on pdf file sur ;_;</br>";

	// Test if string contains the word

	if(strpos($param, $bad) !== false){

	echo "</br>you blacklisted-bitch no scripts";
	exit;

	} else{

	# Used str_ireplace to check case-sensitive script combinations

	$param = str_ireplace($bad, "", $param);
	$fp = fopen('test.html', 'w');
	fwrite($fp, $param);
	fclose($fp);

	}

	$html_file_url = 'test.html';
	$pdf_file_url = 'test.pdf';
	$cmd = "/usr/bin/wkhtmltopdf $html_file_url $pdf_file_url";
	shell_exec($cmd);
	echo "</br><br>Your PDF is ready <a href='read.php'>Your PDF :)</a>";

	?>