white hat safety research institute

Posted by deaguero at 2020-02-27

What is pdfretter? -It is a kind of parsing software, which can convert HTML files into PDF files.

In a penetration test, I found that the target application used pdfretter for file conversion.

So I thought, maybe this software is flawed in dealing with some dangerous HTML code. I try to insert a separate < img > tag into a normal HTML page, and then convert it to PDF with the following response:


This seems to be a good start. The target application and pdfretter will not over process some HTML tags.

The next time I try is to use the < iframe > tag and introduce a Google into it.


Now it's clear that all the HTML tags I insert will take effect. I also try to load my own website into < iframe >, and I also find that my website is visited by the target application during file conversion.


Next, I want to use file: / / / wrapper to load the local file. The payload is > < iframe SRC = "file: / / / etc / passwd" / > < iframe >

file:///wrapper ><iframe src="file:///etc/passwd"/></iframe>


Then there is the / etc / shadow file. The target application runs with root permission, so I also get the high permission file.

/etc/shadow "/><iframe src="file:///etc/shadow"></iframe>

In the last step, I directly read the SSH related configuration file, obtained the SSH key, and directly connected to the server as root through SSH.

Thank you for reading!

本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源: