pdfsploit - PDF Security Test Generator

💀 pdfsploit

Source

Upload

Inject

Queue 0

No injections queued

Ctrl+B Build Ctrl+S Download 1-8 Inject

📄 Drop PDF here or create new Drag & drop supported

Drop PDF to load

Injected Payloads

Metadata Injection

Inject strings into PDF Info dictionary fields Related CVEs ↗

Presets:

Title Author Subject Keywords

⚠️ Detection: WAFs may flag <script> tags. Try event handlers or encoding.

XMP/XML Injection

Embed raw XMP XML metadata for XXE/SSRF testing XXE CVEs ↗

Presets:

Include DOCTYPE declaration Custom DOCTYPE XMP Content

⚠️ Detection: XML parsers may block SYSTEM entities. Try parameter entities.

JavaScript Injection

PDF JavaScript via OpenAction (runs in viewer sandbox) CVEs ↗

Presets:

JavaScript Code

⚠️ Detection: Many viewers disable JS by default. Test in Adobe Reader.

Polyglot/Tail Injection

Append content after %%EOF for file-type confusion CVEs ↗

Preset Payload

⚠️ Detection: Content-Type sniffing may reveal dual nature.

URI Action Injection

Add clickable links with /URI actions CVEs ↗

Presets:

URI Link Text

⚠️ Detection: Viewers may warn on javascript: URIs.

Embedded File Injection

Hide files inside PDF using /EmbeddedFiles

Filename File Content MIME Type

⚠️ Detection: AV scanners check embedded files. Test with benign content first.

Form Field Injection

Inject into AcroForm text field values

Presets:

Field Name Field Value

⚠️ Detection: Form data often extracted for processing - good XSS vector.

Annotation Injection

Add annotations with text or link actions

Annotation Type Content / URI

⚠️ Detection: Annotation text may be indexed by search engines.

Named Action Injection

Trigger predefined viewer actions CVEs ↗

Action Category

Named Actions

NextPage PrevPage FirstPage LastPage GoBack GoForward 🖨️ Print 💾 SaveAs 🔍 Find ⛶ FullScreen ⚙️ Preferences 🔎+ ZoomIn 🔎- ZoomOut ℹ️ GeneralInfo 🔖 AddBookmark 📄 PageInfo 📝 Spelling 🔊 ReadOutLoud ❌ Close 🚪 Quit FitPage FitWidth FitHeight FitVisible SinglePage TwoPages ToggleToolbar ToggleMenu ToggleAttach

Trigger

📋 Attack Vectors

Print: DoS via infinite print dialogs, printer abuse
SaveAs: Force download prompts, social engineering
Quit/Close: DoS, disrupt user workflows
FullScreen: UI confusion, phishing overlays
GeneralInfo: Trigger info display, leak metadata
GoBack/Forward: History manipulation

🖥️ Named Actions require desktop PDF readers (Adobe Acrobat, Foxit)

OOB Callback Injection

Trigger out-of-band callbacks for blind detection CVEs ↗

🔒 Collaborator URL

Set once, auto-fills callback URL with unique ID each time

Callback Method Callback URL

Triggers

📂 Open 📁 Close 💾 Save 🖨️ Print 👆 Click

📋 OOB Methods Reference

⭐ SubmitForm: HTTP GET to URL - most reliable in Acrobat
⭐ JS fetch: JavaScript HTTP request - Acrobat DC
URI: Simple HTTP link action
GoToR: Open remote PDF - http://, file://
ImportData: Import FDF from URL
Launch: External file - SMB/UNC paths
Sound/Movie: Remote media - HTTP callback
XFA: XFA form HTTP/SOAP requests

🖥️ Desktop Reader Required! Browser PDF viewers block OOB. Download and open in Adobe Acrobat Reader.