DOMPDF RCE
Bookmarked!This exercise covers the exploitation of a vulnerability in the DOMPDF library
This challenge involves leveraging the DOMPDF library to achieve remote code execution. DOMPDF, when configured with $isRemoteEnabled
set to true
, can fetch external stylesheets. By injecting a stylesheet link that points to a malicious font file, you can trick DOMPDF into caching your malicious file with a .php
extension. This file is stored in the /dompdf/lib/fonts/
directory and can be executed by navigating to its URL.
To carry out the attack, you'll need to create a CSS file with an @font-face
rule that specifies your malicious font hosted on your server. When DOMPDF processes this CSS, it will fetch and cache the font file in its fonts directory. The cached file will have a predictable name pattern, allowing you to access and execute it to gain code execution on the target server.