Website:

Untitled

It appears that we can create an invoice:

Untitled

We can then view this Invoice in the original invoice list, and export as a PDF.

Untitled

The request to submit the markdown content for the invoice posts as JSON (below):

Untitled

Source Code:

The source code shows an application written in nodejs, with a few routes.

It can also be observed that MDHelper.js is being uses to convert markdown to a pdf.

Looking at package.json shows the dependencies of the application, which in this case include md-to-pdf 4.1.0 Searching for md to pdf 4.1.0 exploit reveals an RCE in any version of md-to-pdf < 5.0.0.

LINK: https://snyk.io/vuln/npm%3Amd-to-pdf

Payload:

The SNYK link shows that if a certain payload is passed into the content field of the mdToPdf function, then code is executed:

---js
((require("child_process")).execSync("id > /tmp/RCE.txt"))
---RCE