Let’s visit the website at provided ip address.

When we click on convert, a post request is made to /convert .

Let’s do a directory scan.

Found a admin directory.

The admin directory is only allowed for localhost.

So we might need to find some SSRF vulnerability to get the admin page.

ANALYSE THE PDF METADATA. After analysing the metadata of PDF generated by the converter.

We can see the library version that is used by the backend. This libarary is netorious for having SSRF vulnerability.

After tesing with a normal iframe payload, we can corfirm that ssrf vulnerability exists.

Getting the contents of the /admin page.

<iframe src=http://127.0.0.1:5000/admin height=800 width=700></iframe>

This payload will show us the content of /admin in a pdf.