Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2022-25765 PoC — Command Injection

Source
https://github.com/UNICORDev/exploit-CVE-2022-25765
Associated Vulnerability
Title:Command Injection (CVE-2022-25765)
Description:The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.
Description
Exploit for CVE-2022–25765 (pdfkit) - Command Injection
Readme
# Exploit for CVE-2022–25765 (pdfkit) - Command Injection

![GitHub CVE Cover](https://user-images.githubusercontent.com/23003787/219503380-083bd0fc-80e0-4d99-8f38-06c065aaa2d0.png)

**Like this repo? Give us a ⭐!**

*For educational and authorized security research purposes only.*

## Exploit Author

[@UNICORDev](https://unicord.dev) by ([@NicPWNs](https://github.com/NicPWNs) and [@Dev-Yeoj](https://github.com/Dev-Yeoj))

## Vulnerability Description

The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.

## Exploit Description

A ruby gem `pdfkit` is commonly used for converting websites or HTML to PDF documents. Vulnerable versions (< 0.8.7.2) of this software can be passed a specially crafted URL containing a command that will be executed. This exploit generates executable URLs or sends them to a vulnerable website running `pdfkit`.

## Usage

```bash
  python3 exploit-CVE-2022–25765.py -c <command>
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port>
  python3 exploit-CVE-2022–25765.py -c <command> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port> [-w <http://target.com/index.html> -p <parameter>]
  python3 exploit-CVE-2022–25765.py -h
```

## Options

```
  -c    Custom command mode. Provide command to generate custom payload with.
  -s    Reverse shell mode. Provide local IP and port to generate reverse shell payload with.
  -w    URL of website running vulnerable pdfkit. (Optional)
  -p    POST parameter on website running vulnerable pdfkit. (Optional)
  -h    Show this help menu.
```

## Download

[Download exploit-CVE-2022-25765.py from GitHub](https://raw.githubusercontent.com/UNICORDev/exploit-CVE-2022-25765/main/exploit-CVE-2022-25765.py)

[Download exploit-CVE-2022-25765.py from ExploitDB](https://www.exploit-db.com/exploits/51293)

### Searchsploit (ExploitDB)

```bash
searchsploit -u
searchsploit -m 51293
```

## Exploit Requirements

- python3
- python3:requests
- python3:urllib3

## Demo

### Custom Command Mode

![cropped command](https://user-images.githubusercontent.com/23003787/221307314-3af99159-2768-4195-b51b-8279cc436a35.gif)

### Reverse Shell Sent to Target Website Mode

![exploit-CVE-2022–25765](https://user-images.githubusercontent.com/23003787/221304847-8d5cafaa-246a-432c-9301-f21271f6d607.gif)

## Tested On

pdfkit Version 0.8.6

## Applies To

pdfkit Versions < 0.8.7.2

## Test Environment

```bash
gem install pdfkit -v 0.8.6
```

## Credits

- https://nvd.nist.gov/vuln/detail/CVE-2022-25765
- https://security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
- https://app.hackthebox.com/machines/Precious
- https://www.exploit-db.com/exploits/51293
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →