| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by im3w1l 1582 days ago

Bash parses as it runs so something as simple as this works

  if [ $(date +%u) -ne 5 ]
  then
    exit
  fi
  (

2 comments

lloeki 1582 days ago

Bash even reads the file as it goes, so if you run a "long-running" script (a sleep is enough), edit far enough down, and write the file again, the previously started bash will end up running the new content once it gets up to reading where the change happened.

link

saba2008 1582 days ago

You can exploit it do distinguish whenever script is `curl | bash`'ed.

Add `sleep 1`, and detect pause on server. Then, if pause detected - serve attack payload. If not - somebody is careful enough to download and audit, so serve just the script.

link

jwilk 1582 days ago

https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...

Discussed on HN:

2020: https://news.ycombinator.com/item?id=25356757 (133 comments)

2018: https://news.ycombinator.com/item?id=17636032 (146 comments)

2016: https://news.ycombinator.com/item?id=11532599 (122 comments)

link

jwilk 1582 days ago

You could check syntax of the whole file (even the unreachable parts) with the -n option.

But that's not bulletproof; consider this code (adapted from <https://hal.archives-ouvertes.fr/hal-01513750/document>):

  if [ $(date +%u) -eq 5 ]
  then
      alias maybe=''
  else
      alias maybe=:
  fi
  maybe for x in; do :; done

"sh -n" always reports syntax error, even thought the script syntax is correct on Fridays.

link