For those who are not familiar with Dompdf, Synk has released a few vulnerabilities that are related to Dompdf over here.
Based on the description here, the vulnerability that we can use has been assigned to CVE-2022-28368. The vulnerability has an option in Dompdf which we should be able to execute the PHP code in the conversion but it is been configured disabled by default.
I will use the script from the Posivite Security Github which can be found here. They also included some pictures for a better understanding of the Dompdf exploitation
Demonstration of the exploitation
The full writeup on the Interface walkthrough can be read here
Exploiting the Dompdf vulnerability on the Interface machine
Let’s execute the payload that we have seen on the Dompdf exploitation page which you can see in the screenshot above.
On the other hand, we should be able to insert the reverse shell on the <filename>.php which is the file that we configured within the CSS file and can be called the PHP file.
Firstly, we are required to start our Python server on our attacker’s machine.
However, i got the error “File not found” again on this page.
As mentioned on the exploit page, let’s change the
Therefore, let’s start our pwncat-cs started on our attacker’s machine
Initial Access to the machine
Trying to retrieve reverse shell connection from dompdf vulnerability
Based on the exploit that we found earlier, we can execute the transfer file via burpsuite
Sadly, we only retrieve the CSS file but the PHP is not been transferred to the server itself
Therefore, let’s convert it into the md5sum as shown above
In this part of the activity, we can use the exploitation mentioned on the exploit earlier by using the curl command
After a while of troubleshooting the issues, it’s finally getting a positive response on the Python server