I'm working with an interesting vulnerability I found which enables local file inclusion (LFI) on a target server. In summary, there is a PDF generation API endpoint which accepts an HTML string as input. In return, it will render the HTML and spit out a PDF.
The HTML parser it uses supports most basic HTML tags. Although not used by the target application, it also seems to support the <img>
tag.
I was therefore able to get it to generate a PDF featuring an image from the local filesystem. It's a Windows server so simply specifying <img src="C:/Windows/Web/Wallpaper/Windows/img0.jpg">
did the trick nicely.
RFI is also possible in that I was able to specify a remote image and it happily loaded it. I provided it a link to my server and inspected the request and there was nothing interesting - no unusual request headers or anything.
However since the HTML parser does not support JavaScript (I'm sure of this because I was able to find the actual library being used online and that's clearly documented), I couldn't escalate this much more beyond retrieving a wallpaper image. It also doesn't support <iframe>
, <embed>
or <object>
tags. As you may know, <img>
refuses to load anything that isn't an image.
Are there any images which exist by default on Windows (presumably Server) which would be considered more sensitive? The bug bounty program for this organization of course only accepts rewards with a demonstrable security impact - so I feel like I'm just one step away from actually having something worth reporting.
Otherwise, any other creative ideas on how to include a different file type would also be appreciated (I'm hoping for the HOSTS file).
It also supports basic CSS, including the background-image
property. But again, same issue.
Lastly, I tried specifying an SVG that contained a malicious XML payload, but found that the library doesn't support SVG and doesn't recognize XML at all.