Web Application Penetration Testing with cURL

cURL is a computer software project providing a library and command-line tool for transferring data using various protocols.

CURL is simply awesome because of the following reasons...

·         CURL is an easy to use command line tool to send and receive files, and it supports almost all major protocols(DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS,  IMAP, IMAPS,  LDAP,  LDAPS,  POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP) in use.
·         Can be used inside your shell scripts with ease
·         Supports features like pause and resume of downloads
·         It has around 120 command line options for various tasks
·         It runs on all major operating systems(More than 40+ Operating systems)
·         Supports cookies, forms and SSL
·         Both curl command line tool and libcurl library are open source, so they can be used in any of your programs
·         It supports configuration files
·         Multiple upload with a single command
·         Progress bar, rate limiting, and download time details
·         IPV6 Support

CURL comes by default installed in most of the distributions. If you do not have curl tool installed, then it’s a single apt-get (apt-get install curl) or yum (yum install curl) command.

For this tutorial we had used “web for pentester” to support curl command. As you known this lab is vulnerable against many website based attack therefore we had choose curl as our weapon for attack.

Let’s begin!!

Command Injection Exploitation
You must be aware command injection vulnerability which allows to execute OS based arbitrary command, type following command to check directory list in targeted system:

Curl “;ls”

From given below image you can observe that it execute ping command as well as ls command, as result we found three PHP files in this directory.

Download File from URL
Curl is also use for download the data from any website or host machine, following command will download putty.exe file from website.
Curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe

HTTP Headers
Curl is use for identify HTTP method which helps in http verb tempering, type following command:
Curl -v -X http://www.google.com

From given below image you can perceive that only GET and HEAD methods are allowed on Google.

File Inclusion
This vulnerability allows an attacker to include a file on the web server, use following curl command to exploit it

Hence you can observe that we found data from inside etc/passwd

HTTP Authentication
HTTP Authentication is use to inform the server user’s username and password so that it can authenticate that you're allowed to send the request you're sending. Curl is use HTTP Basic authentication. Now type following command which required username and password for login into website through curl.

Curl -data “uname=test&pass=test” http://testphp.vulnweb.com/userinfo.php

If you will notice given below image carefully you can observe that following code contains user information inside the table such as Email-ID, phone number, address and etc.

File Upload
Upload option inside in website allow uploading of any image or text on that particular website, for example uploading any image on facebook.  Use curl command to upload the putty.exe file on targeted system.
Curl -F ‘image=@/root/Desktop/putty.exe’

Great! You can read the highlighted text is indicating towards directory “/upload/images/putty.exe” where file has been successfully uploaded.

Open above given directory in browser as

Awesome! From given below you can see putty.exe is uploaded


Post a Comment