Dompdf Vulnerability

For those who are not familiar with Dompdf, Synk has released a few vulnerabilities that are related to Dompdf over here.

Based on the description here, the vulnerability that we can use has been assigned to CVE-2022-28368. The vulnerability has an option in Dompdf which we should be able to execute the PHP code in the conversion but it is been configured disabled by default.

I will use the script from the Posivite Security Github which can be found here. They also included some pictures for a better understanding of the Dompdf exploitation

Demonstration of the exploitation

The full writeup on the Interface walkthrough can be read here

Exploiting the Dompdf vulnerability on the Interface machine

Let’s execute the payload that we have seen on the Dompdf exploitation page which you can see in the screenshot above.

On the other hand, we should be able to insert the reverse shell on the <filename>.php which is the file that we configured within the CSS file and can be called the PHP file.

Firstly, we are required to start our Python server on our attacker’s machine.

However, i got the error “File not found” again on this page.

As mentioned on the exploit page, let’s change the

Therefore, let’s start our pwncat-cs started on our attacker’s machine

Initial Access to the machine

Trying to retrieve reverse shell connection from dompdf vulnerability

Based on the exploit that we found earlier, we can execute the transfer file via burpsuite

Sadly, we only retrieve the CSS file but the PHP is not been transferred to the server itself

Therefore, let’s convert it into the md5sum as shown above

In this part of the activity, we can use the exploitation mentioned on the exploit earlier by using the curl command

After a while of troubleshooting the issues, it’s finally getting a positive response on the Python server

Leave a Reply

Your email address will not be published. Required fields are marked *