⬆️ ⬇️

PDF generation for downloading server configs

There is a wonderful project hiqpdf .



Can html quality in pdf or convert pictures



But by default it does not take into account the fact that js / iframe can be inserted into html, which can be used for other purposes.

')

Well, without any hesitation I tried it on their own website.



Here so in the browser console iframes



var str = ""; for (var i = 8000; i <= 9000; i++) { str += "#" + i; str += "<iframe src='http://localhost:" + i + "' height='60' width='300'></iframe><br/>"; } str; 


It turned out something like this




Here is such a self port of ports.



I found a splash (of course, nmap is also easy to find and even more -p [8000-9000] -T4 -A -v hiqpdf.com , but this is more interesting).







But it didn’t work out with them quickly, because at the end I’ll demonstrate vulnerability by the example of other guys, and to understand the mechanics of the process I made my own small demo .



There is api on .net, which simply gives a string and all + there is code that can generate pdf on this server. The code is taken directly from hiqpdf.com, without unnecessary gestures.







Now 4 iframe localhost / api / def / get







Ok, check that this is exactly .net on Windows



localhost / api / con.aspx - if not up to date, files named con / aux and others are prohibited for Windows. Feet grow from the antiquities of the dos when they were specific devices.



For example - I like the site very much, especially if I have only a phone at hand, and I want to type some code:



dotnetfiddle.net/con1.asmx - processed error and the corresponding 404 page

dotnetfiddle.net/con.asmx - this is not the fate before the managed code in the pool is reachable

dotnetfiddle.net/con.txt - and this is the way to get to the directory (Physical Path E: \ sitesroot \ 0 \ con.txt)







In fact, without a clue why I need a version, in theory, it can help if there is an old one and you know zero-day vulnerabilities for them. Lan, now the most interesting thing is to find out the directory, by localhost my 404 errors are not closed and I get them as they are.







Since this is a site on .net - the web.config file is in the root:







Actually, it was a lightweight demo.



And now on the real data (someone's food, they have already covered the shop;)







Oh, there the section is included from the file connections.config, conveniently, outside the box, downloads perfectly:







And some more data:







I think everything is clear here and there is no point in continuing to pour screenshots.

Sorry the whole database is closed outside.

And from JS, I don’t know how to do that (yes, there you can use not only the iframe, but also js).



Immediately make a reservation - hiqpdf has nothing to do with it, the problem of the configuration of the application, the code to send to print pdf data (if you know that there will be html clearly, then you need to do htmlencode), as well as any other lib, for example, the standard WebBrowser component can also.



Actually a continuation - it turns out that some people like not PDF, not even HTML, but an image, say png. And they use the WebBrowser component to get a picture (they kindly shared a piece of code with me, but asked not to disclose the name of the product where it is used).



Essence - you can write js, which was executed in the default System.Windows.Forms.WebBrowser component:







Here is the source
 using (WebBrowser br = new WebBrowser()) { AutoResetEvent loadingWaiter = new AutoResetEvent(false); br.AllowNavigation = true; br.ScrollBarsEnabled = false; br.ScriptErrorsSuppressed = true; br.DocumentText = "0"; br.Width = 1024; br.Document.OpenNew(true); br.Document.Write(htmlCode); br.Refresh(); br.DocumentCompleted += (a, b) => loadingWaiter.Set(); loadingWaiter.WaitOne(590); br.Height = (int)(br.Document.Body.ScrollRectangle.Height * scale + 1); using (Bitmap bmp = new Bitmap(br.Width, br.Height)) { br.DrawToBitmap(bmp, new Rectangle(0, 0, br.Width, br.Height)); bmp.Save(stream, ImageFormat.Png); } } 




I cannot say anything about his insanity, because I was not interested in the problem of creating an arbitrary image from html.



At the time of discovery, it was enough to send 1k requests to the API (yes, it happened on IIS and alerts, as I understand it, if there were, then on the same server, if, of course, log in under the account from which the pool is running).



How to edit it - WebBrowser is IE and you need to disable it on the windows JS server. In my experience this is by default, and I was very lucky that it turned out differently.



But it sucks and in a good way - of course you can’t insert data into such components as it is. If you know that you use a similar component, and the client can contain control characters - they need to be escaped.



For HTML / JS, HtmlEncode is sufficient .



But if that, then HiqPdf through htmlToPdfConverter.RunJavaScript = false perfectly knows how to disable JS.



All this is not as impressive as last time , but, as you can see, it can also help in retrieving server configs.

Source: https://habr.com/ru/post/354476/



All Articles