zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. charle+gc[view] [source] 2018-07-29 06:17:14
>>rubyn0+(OP)
The sleep cleverness is excessive though - what you really want to know is if the script you're returning is being executed as it's sent. If it is, then you can be pretty confident that a human isn't reading it line by line.

1. Send your response as transfer-encoding: chunked and tcp_nodelay

2. Send the first command as

    curl www.example.com/$unique_id
Then the server waits before sending the next command - if it gets the ping from the script, we know that whatever is executing the script is running the commands as they're sent, and is therefore unlikely to be read by a human before the next command runs. If it doesn't ping within a second or so, proceed with the innocent payload.

For extra evil deniability, structure your malicious payload as a substring of a plausibly valid sequence of commands - then simply hang the socket partway through. Future investigation will make it look like a network issue.

◧◩
2. brianb+KS[view] [source] 2018-07-29 18:05:31
>>charle+gc
This would reveal your intent to a human reader. I think the author of the article was trying to avoid doing that.
[go to top]