Shulou(Shulou.com)05/31 Report--

This article mainly shows you how to use cURL in Web penetration testing. The content is simple and easy to understand. It is clearly organized. I hope it can help you solve your doubts. Let Xiaobian lead you to study and learn how to use cURL in Web penetration testing.

1. Overview

cURL is a tool for transferring data from the command line and supports multiple protocols.

cURL has the following characteristics:

1. Support multiple protocols, including: DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET, TFTP, etc.

Can be used in shell scripts

3. Support breakpoint resume and other functions, support progress bar, rate limit and download time details display

Contains 120 command-line options for different tasks

Support almost all operating systems (more than 40 operating systems)

Support cookies, forms and SSL

Curl and libcurl libraries are open source software and can be used in any program.

8. Support configuration files

9. Upload multiple files with a single command

Support IPv6 protocol

Most Linux distributions have curl installed by default, but if not, you can install it using apt install curl(ubuntu, debian, kali) or yum install curl(CentOS).

The environment used in this tutorial is Web For Pentester, an environment that contains multiple web application vulnerabilities.

2. Command injection vulnerability test

Open the Web For Pentester environment, which looks like this:

Click on Example1 in Commands injection

The default is to execute a ping command. We send http requests through curl and try executing other commands, such as ls view directory files.

The order reads as follows:

curl "http://192.168.177.137/commandexec/example1.php? ip=127.0.0.1;ls"

The return result is as follows:

You can find that the ls command is executed successfully, returning three file information under the directory, namely example1.php, example2.php, example3.php.

Of course, you can also view file information under other directories, such as this:

curl "http://192.168.177.137/commandexec/example1.php? ip=127.0.0.1;ls%20\/"

The information returned is the list of files downloaded from/root directory.

Related Operation Learning:

PHP Command Injection Attack: Understanding how command injection works through command-injection experiments. (Copy the link below to open the web page to operate)

http://www.hetianlab.com/expc.do? ec=2cf0139a-9d8a-4e91-96aa-f3fbec33205e

3. Download files from URLs

curl can download data from any website or host, such as a Putty tool

curl -O https://the.earth.li/~sgtatham/putty/latest/putty.exe

You can see the speed, progress and other details.

4. HTTP header information identification

curl can be used to test HTTP methods supported by the target site

The order reads as follows:

curl -v -X OPTIONS http://www.example.com

From the information returned, you can see the HTTP methods supported by the site

Related Operation Learning:

HTTP Protocol Foundation: Copy the following link to open the web page to operate

http://www.hetianlab.com/expc.do? ec=ECID9d6c0ca797abec2017041814433700001

5. Files contain vulnerability tests

The file inclusion vulnerability allows an attacker to include arbitrary files on a Web server for the purpose of reading sensitive information.

We can also test it with curl.

Test using example1 in File Include.

We try to include the/etc/passwd file on the server with the following command:

curl "http://192.168.177.137/fileincl/example1.php? page=/etc/passwd"

The return result is as follows:

The contents of the/etc/passwd file were successfully returned.

Related Operation Learning:

File inclusion vulnerability: File inclusion is divided into remote file inclusion and local file inclusion (copy the link below to open the web page to operate)

http://www.hetianlab.com/expc.do? ec=ECID172.19.104.182015060917272000001

6. HTTP authentication

Curl enables HTTP base authentication to log in to the target website.

The order reads as follows:

curl --data "uname=test&pass=test" http://testphp.vulnweb.com/userinfo.php

From the returned results, it contains information such as address and user name, indicating that the login was successful.

7. File upload vulnerability test

File upload vulnerability refers to a Web application that allows images or other files to be uploaded. If the filtering is not strict, it can lead to arbitrary file upload, such as uploading malicious code files.

Use example1 in File Upload for testing.

We try to upload the putty.exe file to the target server.

The order reads as follows:

curl -F 'image=@/root/putty.exe' http://192.168.177.137/upload/example1.php

The requested URL/upload/images/2016/10/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016/2016.jpg was not found on this server.

We can visit this directory to see if this is the case:

As you can see, the upload was indeed successful.

The above is "how to use cURL in Web penetration testing" all the content of this article, thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.