What is pdfretter? -It is a kind of parsing software, which can convert HTML files into PDF files.
In a penetration test, I found that the target application used pdfretter for file conversion.
So I thought, maybe this software is flawed in dealing with some dangerous HTML code. I try to insert a separate < img > tag into a normal HTML page, and then convert it to PDF with the following response:
<img>
This seems to be a good start. The target application and pdfretter will not over process some HTML tags.
The next time I try is to use the < iframe > tag and introduce a Google into it.
<iframe>
Now it's clear that all the HTML tags I insert will take effect. I also try to load my own website into < iframe >, and I also find that my website is visited by the target application during file conversion.
<iframe>
Next, I want to use file: / / / wrapper to load the local file. The payload is > < iframe SRC = "file: / / / etc / passwd" / > < iframe >
file:///wrapper
><iframe src="file:///etc/passwd"/></iframe>
Bang!!!!!
Then there is the / etc / shadow file. The target application runs with root permission, so I also get the high permission file.
/etc/shadow
"/><iframe src="file:///etc/shadow"></iframe>
In the last step, I directly read the SSH related configuration file, obtained the SSH key, and directly connected to the server as root through SSH.
Thank you for reading!
本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场
来源:https://medium.com/@armaanpathan/pdfreacter-ssrf-to-root-level-local-file-read-which-led-to-rce-eb460ffb3129