From SSRF To RCE in PDFReacter

What is PDFReacter?
- PDFReacter is a parser which parses HTML content from HTML to PDF.

While testing an application I have identified that an application is using the PDFReacter parser.

PDFReacter is a formatting processor that parses the HTML content to PDF files.so Since an application has an option to insert data into forms, I started fuzzing with XSS and for that, I simply used <img> tag. there was an option to export the forms to PDF and when I exported the one of the form which has the payload, the final PDF file was like this.

This means an application and PDFReacter both do not escapes the HTML tags and processes the HTML tags/XSS Payloads as well.

Since I knew that an application is using PDFReacter as a parser and both application and parsers are not escaping my payloads. So the next was with the iframe. I wanted to check if I can load external sites in a final pdf document or not and as you can see that Google is getting loaded in the frame.

Now it was clear that I can hit to the external sites by using iframe(SSRF Confirmed).

Next step was to read the local files with file:/// wrapper.Simple Payload “><iframe src=”file:///etc/passwd”/></iframe> I used for it.

Bang !!!!!

Next is to check if the current user has root privileges or not. I Simply tried fetching the shadow file with the below-mentioned payload and I noticed that I was able to fetch the shadow file.
“/><iframe src=”file:///etc/shadow”></iframe>

Since the Current user has the root privileges, Next was to pop a shell, I Fetched Private SSH keys, And was able to SSH to the server.

Although it was not my first RCE, I got goosebumps when I popped the shell. Rahul Maini’s blog helped me a lot to understand the current scenario. Thanks, Maini for an awesome blog.

Thanks everyone for reading.