I came across a piece of interesting vulnerable script from a thread on V2EX. A bash function in it named __curl as a simple alternative for command curl or wget, works in scenarios where no such utilities available.

The function involves certain less known features of Linux and Bash language.

First is communicating over TCP through files. Linux employs a design of “everything are files”. Certain devices are exposed as files which could be accessed under directory /dev. For example, one could manipulate a TCP socket connected to ${HOST}:${PORT} through device file /dev/tcp/${HOST}/${PORT}. The line exec 3<>$FILENAME opens file $FILENAME under read-write mode and binds it to descriptor 3. The next line composes HTTP message manually and writes out to &3, which is in fact sending a request to the URL. Reading from the same file should then retrieve the response content. The trick serves as a primitive workaround for retrieving web contents.

Another one is parameter substitution in Bash. The syntax ${var//PATTERN/REPL} globally replaces all occurrences of PATTERN in var into REPL. If REPL omitted, the matched substrings are deleted. For example, in this script, ${1//// } would replace all slashes / into white spaces in variable \$1.

References