Shellshock

Finding Shellshock

  • /cgi-sys

  • /cgi-mod

  • /cgi-bin

> dirb http://10.129.88.173
    .. http://10.129.88.173/cgi-bin/        ..found/forbidden
    .. http://10.129.88.173/server-status/  ..found/forbidden

> dirb http://10.129.88.173/cgi-bin/ -X .sh
> dirb http://10.129.88.173/cgi-bin/ -X .sh,.php,.cgi,.pl,.py 
    .. http://10.129.88.173/cgi-bin/user.sh   ..found!

nmap 
didnt help at all:
> nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.129.88.173

try this next time
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/vulnscript.sh 10.x.x.x


gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56 -f 
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56/cgi-bin/ -x sh,cgi,pl,py,php

-f: flag appends / to end of directory 
-x: file extensions to search for

Exploiting Shellshock

Blind Shellshock

  • CGI might be vulnerable, even if your scan didnt find report it

  • 'searchsploit webmin' .. Results with 'cgi' - might be vulnerable

  • Find the cgi page, like 'session_login.cgi'

  • Might be hiding on 'view source'

  • Send it through burp/repeater for the injection

  • REF: beephtb

PreviousJavascriptNextSQL Injections (sqli)

Last updated

Was this helpful?