> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/lfi/trick-0068.md).

# LFI via HTML Injection in PDF

***

Extended Content:\
Inject HTML tags containing local file paths into input fields that are later processed and rendered by a PDF generation service. The PDF renderer might attempt to load resources specified in the HTML, inadvertently including local file contents in the output PDF. Specifically, if the PDF generator processes user-supplied HTML and attempts to load external resources specified in tags like `<iframe>` or `<img>` using the `file://` scheme, it can be tricked into including the content of local files within the generated PDF document.

For example, modify a product title or description field to include HTML like:

```html
<iframe src="file:///etc/passwd"></iframe>
```

This payload attempts to load the content of the `/etc/passwd` file into an iframe within the PDF. Alternatively, an `<img>` tag can sometimes be used to embed the file content:

```html
<img src="file:///etc/passwd">
```

After submitting the modified data (e.g., placing an order), retrieve the generated PDF (e.g., at `/api/po/[ORDER_ID]`). Inspect the PDF for the content of the specified local file. The specific tag, scheme (`file://`, `file:////`), and path traversal required may vary depending on the PDF library (such as wkhtmltopdf) and application structure.
