Hacking with cURL: Unleash the CLI beast

Manas Harsh
3 min readJan 19, 2023
Source:- GeeksforGeeks

Curl, or client URL is a command line tool that enables data exchange between a device and a server through a terminal. We can use this tool on almost every OS. Today’s blog is focused on how do we use it in our pentesting & bug bounties. Best thing about curl is it supports almost all major protocols i.e.- DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET, and TFTP.

When we use curl, what basically we are doing is, we are sending/recieving the data to/from a server. Now, think of some scenarios where we can use it in our pentests. Got any? If yes, good! If not, no worries let me explain.

First thing you can check in curl is, what you can do with it. Hit a simple command called

Curl -h

This will look something like this:-

Now if you can see, there are multiple options here. It depends on you what do you want to do with it, you can follow JavaTpoint for that!

Now, we can do a lot of stuff here with options. Sometimes, you have to submit a file to a remote server and if you want to do it with curl, there is a command:-

curl -F file=@“file.exe" http://example.com/file/upload/

This will upload your file to desired server and then you can try RCEs etc.

Another great example of using curl in pentests is we can modify the default DNS config. It is more of a network pentest side but still, it does the job:-

$ curl --dns-ipv4-addr 192.168.0.1 http://www.example.com
$ curl --dns-interface eth1 http://www.example.com

DNS request to resolve the hostname will originate from 192.168.0.1 or from eth1.

You can use curl to brute force/fuzz a login form as well:-

$ curl --data "email=test@example.com&password=test" http://1.1.1.1/login.php

We can also try creating new users through curl:-

$ curl --data "name=test&email=test@test.com&password=test" http://10.10.10.10/newuser.php

Capture a full trace of the HTTP request:-

$ curl --trace - https://example.com/

We can use it to download a file from server as well:-

 
curl –O https://example.com/file.exe

Identifying HTTP headers allowed on a server:-

curl –v –X OPTIONS http://www.google.com

Curl is also used in HTTP authentication. Authentication is used to inform the server user’s username and password so that it can authenticate that you’re allowed to send the request you’re sending. We can use this command to check it:-

curl —data “uname=test&pass=test” http://example.com/login.php

We can specify a referer to a request:-

$ curl --referer http://www.domain.com/login.php http://www.domain.com/admin

Last but not the lease, we all need log files! curl can also generate nice output to be processed by another tool. It can generate personalized outputs:

$ curl --silent --write-out "Response code: %{http_code}\nTotal time: %{time_total}" https://example.com

These are SOME of the best use cases from Curl. There could be many more cases such as getting request from GET/POST parameters etc but I have put the best ones which I know. Let me know in comment section, or my twitter DM if you have better ones. For now, enjoy these curl usage.

All the best! Happy hacking ❤

Twitter:- @manasH4rsh

Linkedin:- Manas Harsh

--

--

Manas Harsh

Security Enginner | Synack Red Teamer | Writer | Learner, achiever & Contributor