";
31 |
32 | if($font = $dompdf->getFontMetrics()->getFont("gotcha", "normal") or $font = $dompdf->getFontMetrics()->getFont("rshell", "normal")){
33 | $html .= "Gotcha hack";
34 | }
35 |
36 | $html .= "";
37 | $html .= "";
38 |
39 | $dompdf->loadHtml($html);
40 | $dompdf->setPaper('A5', 'portrait');
41 |
42 | // lets us know if something goes wrong
43 | global $_dompdf_show_warnings;
44 | $_dompdf_show_warnings = true;
45 |
46 | // render the HTML as PDF
47 | $dompdf->render();
48 |
49 | // output the generated PDF to browser
50 | $dompdf->stream($filename, array('Attachment' => 0));
51 |
52 | ?>
53 |
--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
1 | # PHP Goof - Snyk's vulnerable demo php app
2 |
3 | A vulnerable PHP demo todo application that is for demonstration and education purposes only, i take no responsibility for this being used with malicious intent nor should this be used for malicious intent (or be run in any product environment).
4 |
5 | 
6 |
7 | ## Requisites & Running
8 |
9 | - PHP 7.4+
10 | - Mysql or MariaDB
11 | - Composer 2
12 |
13 | Run composer install from the project root directory
14 |
15 | Create mysql or mariaDB database and update the db.php file, with database details.
16 |
17 | Import sql/database.sql file into the newly created database or run the following table create.
18 |
19 | ```
20 | CREATE TABLE `task` (
21 | `id` int(11) NOT NULL AUTO_INCREMENT,
22 | `title` varchar(255) NOT NULL,
23 | `created_at` timestamp NOT NULL DEFAULT current_timestamp(),
24 | PRIMARY KEY (`id`)
25 | ) ENGINE=InnoDB AUTO_INCREMENT=76 DEFAULT CHARSET=utf8mb3;
26 | ```
27 |
28 | Finally, Using the PHP built in server run the code from the root app directory
29 |
30 | ```
31 | php -S localhost:8000
32 | ```
33 |
34 | ## Exploiting the vulnerabilities
35 |
36 | ### Commonmark XSS Vulnerability
37 |
38 | [SNYK-PHP-LEAGUECOMMONMARK-174004](https://security.snyk.io/vuln/SNYK-PHP-LEAGUECOMMONMARK-174004)
39 |
40 | ```
41 | * Markdown link
42 | This is **markdown**
43 |
44 | * Markdown link
45 | [Snyk](https://snyk.io/)
46 |
47 | * Failed XSS
48 | [Gotcha](javascript:alert(1))
49 |
50 | * Failed XSS despite URL encoding
51 | [Gotcha](javascript:alert(1))
52 |
53 | * Successfull XSS using vuln and browser interpretation
54 | [Gotcha](javascript:alert%28'Gotcha'%29)
55 | ```
56 |
57 | ### PHPMailer
58 |
59 | [SNYK-PHP-PHPMAILERPHPMAILER-1311001](https://security.snyk.io/vuln/SNYK-PHP-PHPMAILERPHPMAILER-1311001)
60 |
61 | Uses the `validateAddress()` exploit from PHPMailer 6.4.1 to execute the global `PHP()` function by default. If no argument is passed into the `validateAddress()` function, which isnt in this demo, PHPMailer sets "PHP" as the default value and runs it if its available in the scope.
62 |
63 | To run click the email icon next to a line entry to send an email reminder.
64 |
65 | Note: No emails will actually send or are being stored, only validating the email address entered into the input using the PHPMailer library.
66 |
67 |
68 | ### dompdf remote code execution
69 |
70 | [SNYK-PHP-DOMPDFDOMPDF-2428942](https://security.snyk.io/vuln/SNYK-PHP-DOMPDFDOMPDF-2428942)
71 |
72 | [Read more about this Vulnerability](https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/)
73 |
74 | This vulnerability is using dompdf library version 1.2.0 and allows for remote code execution on the target application. In this app there is a custom font called gotcha-normal.otf which has `` loaded into the copyright font meta.
75 |
76 | The font file is then referenced as a `font-family` in the CSS file `gotcha.css` which is then injected into the dompdf html output via a stylesheet link.
77 |
78 | Dompdf loads the style sheet and saves the custom font type to the dompdf font cache (and as part of the framework). This can then be remotely executed.
79 |
80 | *** Note: in the CSS font-family, the font name needs to match the actual font name or this will not work.
81 |
82 | To use this in this app, load the below code into a todo item and click pdf on its line entry, chicken and egg note that you will need to refresh the PDF with the file examples below so that the link generates into the pdf to click.
83 |
84 | ```
85 |
86 | ```
87 | Additional, added an example that uses a reverse shell by using a php `eval()` in a font file leveraging the RCE exploit. This works the same as above but using the below CSS. To use it simply load any get variable into the url when the gotcha link is created in the pdf, example `...?test=phpinfo();`. Regular $_GET references didnt work but `reset()` did which will pick up the first in the $ array and run it in `eval()`.
88 |
89 | Note this uses a different font file and family in the exploit folder.
90 |
91 | ```
92 |
93 | ```
94 |
--------------------------------------------------------------------------------
/sql/database.sql:
--------------------------------------------------------------------------------
1 | -- MariaDB dump 10.19 Distrib 10.6.3-MariaDB, for osx10.16 (x86_64)
2 | --
3 | -- Host: localhost Database: phpgoof
4 | -- ------------------------------------------------------
5 | -- Server version 10.6.3-MariaDB
6 |
7 | /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
8 | /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
9 | /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
10 | /*!40101 SET NAMES utf8mb4 */;
11 | /*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
12 | /*!40103 SET TIME_ZONE='+00:00' */;
13 | /*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
14 | /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
15 | /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
16 | /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
17 |
18 | --
19 | -- Table structure for table `task`
20 | --
21 |
22 | DROP TABLE IF EXISTS `task`;
23 | /*!40101 SET @saved_cs_client = @@character_set_client */;
24 | /*!40101 SET character_set_client = utf8 */;
25 | CREATE TABLE `task` (
26 | `id` int(11) NOT NULL AUTO_INCREMENT,
27 | `title` varchar(255) NOT NULL,
28 | `created_at` timestamp NOT NULL DEFAULT current_timestamp(),
29 | PRIMARY KEY (`id`)
30 | ) ENGINE=InnoDB AUTO_INCREMENT=76 DEFAULT CHARSET=utf8mb3;
31 | /*!40101 SET character_set_client = @saved_cs_client */;
32 |
33 | --
34 | -- Dumping data for table `task`
35 | --
36 |
37 | LOCK TABLES `task` WRITE;
38 | /*!40000 ALTER TABLE `task` DISABLE KEYS */;
39 | /*!40000 ALTER TABLE `task` ENABLE KEYS */;
40 | UNLOCK TABLES;
41 | /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
42 |
43 | /*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
44 | /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
45 | /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
46 | /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
47 | /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
48 | /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
49 | /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
50 |
51 | -- Dump completed on 2021-11-04 10:52:52
52 |
--------------------------------------------------------------------------------
/tasks.php:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------