Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/nhthongDfVn/File-Converter-Exploit

A small collection of File converter vulnerability
https://github.com/nhthongDfVn/File-Converter-Exploit

Last synced: about 2 months ago
JSON representation

A small collection of File converter vulnerability

Awesome Lists containing this project

README

        

# File-Converter-Exploit
A small collection of File converter vulnerability

## File format
- SpreadSheet: `xls`, `xlsx`, `xltx`
- Document: `doc`, `docx`, `odt`
- Powerpoint: `ppt`, `pptx`
- Web: `html`
- Markdown: `md`
- Image: `png`, `gif`, `jpeg`, `svg`
- Archive: `zip`

## Checklist
- [x] Find document metadata: Product, version, sensitive data.
- Export a PDF and find in document properties
- Product `About us`
- If Converter tool have import image/font feature: host a server and view `User-agent` header in incoming request.
- [x] Check if tool can executing `` tag
- [x] SpreadSheet: CSV Injection
- [x] Archive: Zip slip, symlink attack
- [x] OLE/LFD injection
- [x] XXE
- [x] SSRF
- [x] DoS
- [x] HTML Injection/XSS
- [x] Command Injection
- [x] SSTI
- [x] Log4j
- [x] ImageMagick RCE

## Tools
- [PDF analysis Tool](https://github.com/jesparza/peepdf) | [Docs](https://www.blackhat.com/docs/eu-15/materials/eu-15-Esparza-peepdf.pdf)
- [pdfinfo](https://linux.die.net/man/1/pdfinfo)
- [oxml_xxe](https://github.com/BuffaloWill/oxml_xxe)

## Paypload
```javascript
<img src="x" onerror="document.write('test')" />
<script>document.write('<iframe src="'+window.location.href+'"></iframe>')

```

## Application/Framework
### Office
- CVE-2017-0199:
- OLE attack
- https://hackerone.com/reports/361793
- https://www.libreoffice.org/about-us/security/advisories/

### Princexml
- Website: https://www.princexml.com/
- Vulnerability
- `<= 10`: CVE-2018-19858: XXE + SSRF
- `<= 1.4.6`: CVE-2016-10591: Downloads Resources over HTTP in prince--> RCE
- PrinceXML Wrapper Class Command Injection [link](http://www.expku.com/web/5671.html)
- XSS

### TCPDF
- Github: https://github.com/tecnickcom/TCPDF
- Vulnerability
- `< 6.2.0`: CVE-2018-17057: phar deserialization in TCPDF might lead to RCE
- `< 6.2.0`: CVE-2017-6100: uploads files from the server generating PDF-files to an external FTP
- SSRF [Link](https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)

### Node-HTML-PDF
- Github: https://github.com/marcbachmann/node-html-pdf
- Vulnerability
- `<= 2.2.0`: CVE-2019-15138: Arbitrary file read vulnerability via file:///

### pdfkit
- Github: https://github.com/foliojs/pdfkit
- Vulnerability
- `< 0.5.3`: CVE-2013-1607: Command Injection
### WeasyPrint
- Github: https://github.com/Kozea/WeasyPrint
- Vulnerability
- SSRF:
```

```
### wkhtmltopdf
- Github: https://github.com/wkhtmltopdf/wkhtmltopdf
- Vulnerability
- SSRF:
- `"… if wkhtmltoimage convert a http status code 302 url,it may redirect …"`
- [Write-up](https://www.virtuesecurity.com/kb/wkhtmltopdf-file-inclusion-vulnerability-2/)
- [Git issue](https://github.com/wkhtmltopdf/wkhtmltopdf/issues/3570)
- XSS
- DoS via inline XML Stylesheet in HTML to PDF conversion
- Ref: https://cure53.de/pentest-report_accessmyinfo.pdf
- Other
- CVE-2020-10390: Chadha PHPKB Standard Multi-Language 9 Command Injection
- CVE-2018-14865: Odoo passing documents can read local files.
- Drupal 6: Print module RCE
### Apache POI
- Github: https://github.com/apache/poi
- Vulnerability
- `<= 4.1.0`: CVE-2019-12415: XXE in XSSFExportToXml
- DoS
- [CVE list](https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-22766/Apache-POI.html)
### Libreoffice
- Github: https://github.com/LibreOffice/core
- Vulnerability
- `<= 7-1`: CVE-2021-25631: ShellExecute [[Link](https://positive.security/blog/url-open-rce#open-libreoffice)]
- `<= 6.2.6`: CVE-2019-9848: LibreLogo RCE [[Link](https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/)]
- `<= 6.0.7, <= 6.1.3`: CVE-2018-16858: Remote Code Execution via Macro/Event execution
- [[Link](https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html)]
- [Exploit file](https://www.exploit-db.com/exploits/47298)
- `< 6.0.1`: =WEBSERVICE Remote Arbitrary File Disclosure
- Exploit: https://www.exploit-db.com/exploits/44022
- https://ctftime.org/writeup/15482
- OLE, LFD/SSRF: Remote OLE Object xLinking
- [A tale of exploitation in spreadsheet file conversions](https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/)
- [Write-up](https://r4id3n.medium.com/ssrf-exploitation-in-spreedsheet-to-pdf-converter-2c7eacdac781)
- Ghostscript: [PoC](https://gist.github.com/ziot/fb96e97baae59e3539ac3cdacbd09430)
- XXE
- Formula Injection:
- Cheatsheet: [Hacktricks](https://book.hacktricks.xyz/pentesting-web/formula-injection)

### dompdf
- Github: https://github.com/dompdf/dompdf
- Vulnerability
- `<= 1.2.1`: RCE via remote font installation: [[Link](https://positive.security/blog/dompdf-rce)]
- `<= 0.6.1`: CVE-2014-2383, CVE-2014-5013: Read arbitrary files, RCE via a PHP protocol
- `DOMPDF_ENABLE_PHP` enable
- Exploit: https://www.exploit-db.com/exploits/33004
- https://github.com/dompdf/dompdf/wiki/Securing-dompdf

### xdocreport
- Github: https://github.com/opensagres/xdocreport
- Vulnerability
- SSTI: Velocity or Freemarker payload
- XXE

### Misc/Write-up
- https://www.sidechannel.blog/en/html-to-pdf-converters-can-i-hack-them/index.html
- https://mike-n1.github.io/SSRF_P4toP2
- https://medium.com/@rezaduty/security-issues-in-import-export-functionality-5d8e4b4e9ed3
- https://docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/htmlpresent
- https://privasec.com/blog/pdf-generator-best-practices/
- https://medium.com/@armaanpathan/pdfreacter-ssrf-to-root-level-local-file-read-which-led-to-rce-eb460ffb3129
- https://viralmaniar.github.io/web%20application%20testing/webapp%20security/HTML-to-PDF-Converter-Bugs/
- https://blog.appsecco.com/finding-ssrf-via-html-injection-inside-a-pdf-file-on-aws-ec2-214cc5ec5d90
- https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/
- https://positive.security/blog/dompdf-rce
- https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf