I came across a piece of interesting vulnerable script from a post on V2EX
on V2EX. A bash function named __curl
inside the file retrieves contents over HTTP as a simple alternative for command curl
or wget
, in scenarios where no such utilities available.
|
The function makes use of certain less known features of Linux and the Bash language.
The first one is communicating over TCP through files. Linux employs a design philosophy of “everything are files”. One could find some special device files in directory /dev
, through which we can manipulate the underlying devices. Specifically, manipulating a TCP socket connecting ${HOST}:${PORT}
could be achieved by accessing device file /dev/tcp/${HOST}/${PORT}
. Since HTTP is a text-based protocol over TCP, working with it is no more difficult than reading / writing a text file. Line exec 3<>$FILENAME
opens file $FILENAME
under read-write mode and binds it to descriptor 3. The next line then manually composes an HTTP payload and writes out to &3
, which is in fact requesting the URL http ://${HOST}:${PORT}
. By reading the same file descriptor, we retrieve the response content from the service. The trick serves as a primitive workaround for retrieving contents from web.
Another one is parameter substitution in Bash. The expression ${var//PATTERN/REPL}
substitutes all occurrences of PATTERN
in var
into REPL
. If REPL
omitted, the matched substrings will be deleted. For example, in this script, ${1//// }
would replace all slashes /
into white spaces in variable $1
.
References
OOPS!
A comment box should be right here...But it was gone due to network issues :-(If you want to leave comments, make sure you have access to disqus.com.