PDFReacter SSRF to ROOT Level Local File Read which led to RCE
What is PDFReacter?
- PDFReacter is a parser which parses HTML content from HTML to PDF.
While testing an application i have identified that an application is using the PDFReacter parser.
Since PDFReacter is parsing HTML content so I started with XSS vectors and I tried with<img> tag to inject, and when i exported the from into PDF, the response was like this,
Which means an application and PDFReacter both does not escapes the html tags.
Next attempt was with <iframe> tag. I tried loading google.
Now it was clear that an application was accepting the Iframe tag, I also tried to load my website into frame, and while exporting the the from to the PDF, I noticed that my I was getting External hit from target application.
Next attempt was to load a local files with file:/// wrapper. I tried with “><iframe src=”file:///etc/passwd”/></iframe>
Next attempt was to get shadow files. Since webserver was running with the root permissions, it fetched all the shadow files.
Next was to pop a shell, I Fetched Private SSH keys, And was able to SSH to the server.
Thanks for reading. Shoot a DM on twitter for any queries.
Have a great day ahead.