Skip to content

M1cR0xf7/curl-shell-pipe

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

evil.sh

evil.sh

 
 

go.mod

go.mod

 
 

good.sh

good.sh

 
 

server.go

server.go

 
 

Repository files navigation

piping curl to shell User-Agent Based Attack

curl example.com/script.sh | bash

Piping curl to shell is dangerous. you should never pipe untrusted data streams into bash.

This is a demonstration of when you pipe untrusted (malicious) data streams (that you may get by using curl) into bash.

running

you have to have Go installed on your system.

go run server.go

It serves on localhost:8080. when you open localhost:8080 on a web browser you find good.sh being read. while if you do the same with curl it shows the contents of evil.sh.

curl http://localhost:8080

evil.sh could contain harmful code that may break your system or even worse.

The best way to avoid this kind of trouble is to not pipe untrusted scripts into bash. You should check their sha sum, read the script before running it.

# download the script into /tmp directory
curl -s example.com/script.sh > /tmp/script.sh
# read the script using cat,less or your favourite text editor.
cat script.sh

Related articles

LICENSE

GPL-3.0 license

About

Piping curl to shell. User-Agent based attack.

Topics

shell bash user-agent curl pipe sh

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages