DOMPDF RCE

This challenge involves leveraging the DOMPDF library to achieve remote code execution. DOMPDF, when configured with $isRemoteEnabled set to true, can fetch external stylesheets. By injecting a stylesheet link that points to a malicious font file, you can trick DOMPDF into caching your malicious file with a .php extension. This file is stored in the /dompdf/lib/fonts/ directory and can be executed by navigating to its URL.

To carry out the attack, you'll need to create a CSS file with an @font-face rule that specifies your malicious font hosted on your server. When DOMPDF processes this CSS, it will fetch and cache the font file in its fonts directory. The cached file will have a predictable name pattern, allowing you to access and execute it to gain code execution on the target server.