DOMPDF RCE II

Bookmarked!

This exercise covers the exploitation of a vulnerability in the DOMPDF library

PRO
Tier
difficulty_medium_icon
Medium
clock icon
2-4 Hrs.
number of users completed icon
67
badge icon
Media Badge

In this lab, we explore the exploitation of DOMPDF 2.0 to achieve remote code execution. The challenge is set with $isRemoteEnabled disabled, which prevents the application from fetching remote assets. Our approach involves injecting an HTML style tag containing a base64-encoded malicious font, leveraging a Monolog gadget to gain RCE.

Following the steps outlined, you will create a valid font file containing the exploit, encode it appropriately, and inject it via HTML. The server then caches this font, allowing you to execute the payload using the phar protocol. This method bypasses the restriction on remote asset downloading, enabling you to create a file on the server and fetch it for code execution.

Want to learn more? Get started with PentesterLab Pro! GOPRO