• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

Help explain this unix command


Can someone please explain me about a line below:

Wordpress DOS Proof-Of-Concept :
for random in `seq 1 $requests`; do
curl -A Firefox -o --url "http://localhost/s?=$random">  /dev/null 2>&1 &

Thank you
  • 2
1 Solution
The statement creates an "array" of numbers starting at "1" up to the value stored in the variable "requests", using the "seq" utiity.

A "for" loop uses these numbers one by one to store them in the variable "random" to then run a curl command using this variable, like

curl -A Firefox -o --url "http://localhost/s?=1">  /dev/null 2>&1 &
curl -A Firefox -o --url "http://localhost/s?=2">  /dev/null 2>&1 &
curl -A Firefox -o --url "http://localhost/s?=3">  /dev/null 2>&1 &

The outputs of these curl commands are dicarded by redirecting  standard output (stdout = "1") as well as  standard error (stderr = "2") to the null device.

The "&" at the end is used to run the curl commands in background, so they will run in parallel.

The whole construct is missing the important " done" statement at the end (did you forget to post line 4?), and the first line
starting with "Wordpress ..." will produce an error, becaue "Wordpress" is not a shell command, afaik.

toyenAuthor Commented:
thanks for your respond woolmilkporc,

can you let me know what the line 4 should be?

also may i know if this is a command to find a vulnerable in wordpress? is is possible? i understand wordpress have a tough coding.
Thanks very much
for random in `seq 1 $requests`; do
curl -A Firefox -o --url "http://localhost/s?=$random">  /dev/null 2>&1 &

As for the curl command itself - the statement does nothing else than calling the URL http://localhost/ which is the default page of your local machine's webserver, passing it the parameter "s" set to 1,2,3,..., using Firefox as the user agent.

Do you run a local Wordpress server? Otherwise I could not see which way this curl should be useable to test Wordpress - and even there were a local Wordpress server, you would only fetch what the server would give you when receiving s=1,2,3.... and I can't tell you whether this could be useful for finding vulnerabilities, sorry!

By the way, "-o" normally designates an output file whose name seems to be missing here by mistake - correct form should be "-o /path/to/outputfile".
Sense it's running in the background, this MIGHT be an attempt to determine who many concurrent connections the App would support.

As far as vulnerabilities, DOS (Denial Of Service), would be about all it could prove..
this would explain the first line of the post.

"Wordpress DOS Proof-Of-Concept :"   This should probably have a # in column 1 (comment)

So, if you implement woolmilkporc's recommendations above, and set $requests to a high enough number, you may find that the webserver / app is unusable.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now