Lab 58 — ReportForge — SSRF via PDF Export Logo URL

hackadvisor

Task: ReportForge business analytics platform with PDF export and company logo URL branding setting — SSRF via server-side logo fetch. Solution: set logo URL to http://localhost:3001/ to discover internal endpoints, then http://localhost:3001/flag to extract the flag embedded in the exported PDF content stream.

ssrf jwt nodejs nginx express internal_service pdf_export branding localhost glyph_decoding

internal_service_enumerationdecoy_flag_avoidancessrf_via_pdf_logo_urlpdf_content_stream_glyph_decoding

$ ls tags/ techniques/

ssrf jwt nodejs nginx express internal_service pdf_export branding localhost glyph_decoding

internal_service_enumerationdecoy_flag_avoidancessrf_via_pdf_logo_urlpdf_content_stream_glyph_decoding

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 116 — InsightForge — IDOR via Undocumented Internal API— hackadvisor
[web][Pro]BillForge— hackadvisor
[web][Pro]Lab 205 — DockForge — SSRF in Webhook Test Endpoint— hackadvisor
[web][Pro]Lab 345 — PrintForge — RCE via Ghostscript Command Injection— hackadvisor
[web][Pro]Lab 153 — FlowDesk — CSRF Account Takeover via Email Change— hackadvisor