https://github.com/nhthongDfVn/File-Converter-Exploit

A small collection of File converter vulnerability
https://github.com/nhthongDfVn/File-Converter-Exploit

Last synced: about 2 months ago
JSON representation

A small collection of File converter vulnerability

• Host: GitHub
• URL: https://github.com/nhthongDfVn/File-Converter-Exploit
• Owner: nhthongDfVn
• Created: 2022-03-22T16:25:19.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2022-03-22T16:29:22.000Z (almost 3 years ago)
• Last Synced: 2024-08-05T17:40:47.133Z (5 months ago)
• Size: 7.81 KB
• Stars: 5
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - nhthongDfVn/File-Converter-Exploit - A small collection of File converter vulnerability (Others)

README

        
# File-Converter-Exploit

A small collection of File converter vulnerability

## File format

- SpreadSheet: `xls`, `xlsx`, `xltx`

- Document: `doc`, `docx`, `odt`

- Powerpoint: `ppt`, `pptx`

- Web: `html`

- Markdown: `md`

- Image: `png`, `gif`, `jpeg`, `svg`

- Archive: `zip`

## Checklist

- [x] Find document metadata: Product, version, sensitive data.

  - Export a PDF and find in document properties

  - Product `About us`

  - If Converter tool have import image/font feature: host a server and view `User-agent` header in incoming request.

- [x] Check if tool can executing `` tag

- [x] SpreadSheet: CSV Injection

- [x] Archive: Zip slip, symlink attack

- [x] OLE/LFD injection

- [x] XXE

- [x] SSRF

- [x] DoS

- [x] HTML Injection/XSS

- [x] Command Injection

- [x] SSTI

- [x] Log4j

- [x] ImageMagick RCE

## Tools

- [PDF analysis Tool](https://github.com/jesparza/peepdf) | [Docs](https://www.blackhat.com/docs/eu-15/materials/eu-15-Esparza-peepdf.pdf)

- [pdfinfo](https://linux.die.net/man/1/pdfinfo)

- [oxml_xxe](https://github.com/BuffaloWill/oxml_xxe) 

## Paypload

```javascript

<img src="x" onerror="document.write('test')" />

<script>document.write('<iframe src="'+window.location.href+'"></iframe>')





```

## Application/Framework

### Office

- CVE-2017-0199:

- OLE attack

  - https://hackerone.com/reports/361793

- https://www.libreoffice.org/about-us/security/advisories/

### Princexml

- Website: https://www.princexml.com/

- Vulnerability 

  - `<= 10`: CVE-2018-19858: XXE + SSRF

  - `<= 1.4.6`: CVE-2016-10591: Downloads Resources over HTTP in prince--> RCE

  - PrinceXML Wrapper Class Command Injection [link](http://www.expku.com/web/5671.html) 

  - XSS

### TCPDF

- Github: https://github.com/tecnickcom/TCPDF

- Vulnerability

  - `< 6.2.0`: CVE-2018-17057: phar deserialization in TCPDF might lead to RCE

  - `< 6.2.0`: CVE-2017-6100: uploads files from the server generating PDF-files to an external FTP

  - SSRF [Link](https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)

### Node-HTML-PDF

- Github: https://github.com/marcbachmann/node-html-pdf

- Vulnerability

  - `<= 2.2.0`: CVE-2019-15138: Arbitrary file read vulnerability via file:///

### pdfkit

- Github: https://github.com/foliojs/pdfkit

- Vulnerability

  - `< 0.5.3`: CVE-2013-1607: Command Injection 

### WeasyPrint

- Github: https://github.com/Kozea/WeasyPrint

- Vulnerability

  - SSRF:

    ```

    

    ```

### wkhtmltopdf

- Github: https://github.com/wkhtmltopdf/wkhtmltopdf

- Vulnerability

  - SSRF: 

    -  `"… if wkhtmltoimage convert a http status code 302 url,it may redirect …"`

    - [Write-up](https://www.virtuesecurity.com/kb/wkhtmltopdf-file-inclusion-vulnerability-2/)

    - [Git issue](https://github.com/wkhtmltopdf/wkhtmltopdf/issues/3570)

  - XSS

  -  DoS via inline XML Stylesheet in HTML to PDF conversion

- Ref: https://cure53.de/pentest-report_accessmyinfo.pdf

- Other

  - CVE-2020-10390: Chadha PHPKB Standard Multi-Language 9 Command Injection

  - CVE-2018-14865: Odoo passing documents can read local files.  

  - Drupal 6: Print module RCE

### Apache POI

- Github: https://github.com/apache/poi

- Vulnerability

  - `<= 4.1.0`: CVE-2019-12415: XXE in XSSFExportToXml 

  - DoS

  - [CVE list](https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-22766/Apache-POI.html)

### Libreoffice

- Github: https://github.com/LibreOffice/core

- Vulnerability

  - `<= 7-1`: CVE-2021-25631: ShellExecute  [[Link](https://positive.security/blog/url-open-rce#open-libreoffice)] 

  - `<= 6.2.6`: CVE-2019-9848: LibreLogo RCE [[Link](https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/)]

  - `<= 6.0.7, <= 6.1.3`: CVE-2018-16858: Remote Code Execution via Macro/Event execution 

    - [[Link](https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html)]

    - [Exploit file](https://www.exploit-db.com/exploits/47298)

  - `< 6.0.1`: =WEBSERVICE Remote Arbitrary File Disclosure 

    - Exploit: https://www.exploit-db.com/exploits/44022

    - https://ctftime.org/writeup/15482

  - OLE, LFD/SSRF: Remote OLE Object xLinking 

    - [A tale of exploitation in spreadsheet file conversions](https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/)

    - [Write-up](https://r4id3n.medium.com/ssrf-exploitation-in-spreedsheet-to-pdf-converter-2c7eacdac781)

  - Ghostscript: [PoC](https://gist.github.com/ziot/fb96e97baae59e3539ac3cdacbd09430)

  - XXE

  - Formula Injection:

    - Cheatsheet: [Hacktricks](https://book.hacktricks.xyz/pentesting-web/formula-injection)

### dompdf

- Github: https://github.com/dompdf/dompdf

- Vulnerability

  - `<= 1.2.1`: RCE via remote font installation: [[Link](https://positive.security/blog/dompdf-rce)]

  - `<= 0.6.1`: CVE-2014-2383, CVE-2014-5013: Read arbitrary files, RCE via a PHP protocol

    - `DOMPDF_ENABLE_PHP` enable

    - Exploit: https://www.exploit-db.com/exploits/33004

  - https://github.com/dompdf/dompdf/wiki/Securing-dompdf

### xdocreport

- Github: https://github.com/opensagres/xdocreport

- Vulnerability

  - SSTI: Velocity or Freemarker payload

  - XXE 

### Misc/Write-up

- https://www.sidechannel.blog/en/html-to-pdf-converters-can-i-hack-them/index.html

- https://mike-n1.github.io/SSRF_P4toP2

- https://medium.com/@rezaduty/security-issues-in-import-export-functionality-5d8e4b4e9ed3

- https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/htmlpresent

- https://privasec.com/blog/pdf-generator-best-practices/

- https://medium.com/@armaanpathan/pdfreacter-ssrf-to-root-level-local-file-read-which-led-to-rce-eb460ffb3129

- https://viralmaniar.github.io/web%20application%20testing/webapp%20security/HTML-to-PDF-Converter-Bugs/

- https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90

- https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/

- https://positive.security/blog/dompdf-rce

- https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf