Retrieve Contents over HTTP without curl or wget
I came across a piece of interesting vulnerable script from a post on V2EX 1) on V2EX. A bash function named __curl
inside the file retrieves contents over HTTP as a simple alternative for command curl
or wget
, in scenarios where no such utilities available.
#!/bin/bash
function __curl() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3<>/dev/tcp/${HOST}/$PORT
echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
(while read line; do
[[ "$line" == $'\r' ]] && break
done && cat) <&3
exec 3>&-
}
The function makes use of certain less known features of Linux and the Bash language.
The first one is communicating over TCP through files. Linux employs a design philosophy of “everything are files”. One could find some special device files in directory /dev
, through which we can manipulate the underlying devices. Specifically, manipulating a TCP socket connecting ${HOST}:${PORT}
could be achieved by accessing device file /dev/tcp/${HOST}/${PORT}
. Since HTTP is a text-based protocol over TCP, working with it is no more difficult than reading / writing a text file. Line exec 3<>$FILENAME
opens file $FILENAME
under read-write mode and binds it to descriptor 3. The next line then manually composes an HTTP payload and writes out to &3
, which is in fact requesting the URL http ://${HOST}:${PORT}
. By reading the same file descriptor, we retrieve the response content from the service. The trick serves as a primitive workaround for retrieving contents from web.
Another one is parameter substitution in Bash. The expression ${var//PATTERN/REPL}
substitutes all occurrences of PATTERN
in var
into REPL
. If REPL
omitted, the matched substrings will be deleted. For example, in this script, ${1//// }
would replace all slashes /
into white spaces in variable $1
.
References
- [收到条阿里云的告警,看不懂是做什么用的,请教一下 - V2EX](https://www.v2ex.com/t/811424
Author: hsfzxjy.
Link: .
License: CC BY-NC-ND 4.0.
All rights reserved by the author.
Commercial use of this post in any form is NOT permitted.
Non-commercial use of this post should be attributed with this block of text.
OOPS!
A comment box should be right here...But it was gone due to network issues :-(If you want to leave comments, make sure you have access to disqus.com.