Web Application Penetration Testing with curl

curl is a computer software project providing a library and command-line tool for transferring data using various protocols.

CURL is simply awesome because of the following reasons…

  • CURL is an easy to use command line tool to send and receive files, and it supports almost all major protocols(DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS,  LDAP,  LDAPS,  POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET, and TFTP) in use.
  • Can be used inside your shell scripts with ease
  • Supports features like pause and resume of downloads
  • It has around 120 command line options for various tasks
  • It runs on all major operating systems(More than 40+ Operating systems)
  • Supports cookies, forms, and SSL
  • Both curl command line tool and libcurl library are open sources, so they can be used in any of your programs
  • It supports configuration files
  • Multiple uploads with a single command
  • Progress bar, rate limiting, and download time details
  • IPV6 Support

CURL comes by default installed in most of the distributions. If you do not have curl tool installed, then it’s a single apt-get (apt-get install curl) or yum (yum install curl) command.

For this tutorial, we had used “web for pentester” to support curl command. As you are known this lab is vulnerable against many websites based attack, therefore, we had chosen curl as our weapon for attack.

Let’s begin!!

Command Injection

You must be aware command injection vulnerability which allows executing OS based arbitrary command, type following command to check directory list in the targeted system:

From given below image you can observe that it execute ping command as well as ls command, as result we found three PHP files in this directory.

Download File from URL

Curl is also used for download the data from any website or host machine, the following command will download the putty.exe file from the website.

HTTP Headers

Curl is used to identifying HTTP method which helps in http verb tempering, type following command:

From given below image you can perceive that only GET and HEAD methods are allowed on Google.

File Inclusion

This vulnerability allows an attacker to include a file on the web server, use following curl command to exploit it

Hence you can observe that we found data from inside /etc/passwd

HTTP Authentication

HTTP Authentication is used to inform the server user’s username and password so that it can authenticate that you’re allowed to send the request you’re sending. Curl is used HTTP Basic authentication. Now type the following command which required username and password for login into the website through curl.

If you will notice given below image carefully you can observe that the following code contains user information inside the table such as Email-ID, phone number, address and etc.

File Upload

Upload option inside in website allow uploading of any image or text on that particular website, for example uploading an image on facebook.  Use curl command to upload the putty.exe file on the targeted system.

Great! You can read the highlighted text is indicating towards directory “/upload/images/putty.exe” where the file has been successfully uploaded.

Open above given directory in the browser as 192.168.0.16/upload/images/

 Awesome! From given below you can see putty.exe is uploaded

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *