I'm working my way in the Essential lab at the moment, here is a sample exercise I got permission by Louis Nyffenegger to repost.
CVE-2014-6271/Shellshock
This is not a new vulnerability, it was reported some years back and it hit practically any Linux or Unix Operating System that was running bash. It is a simple vulnerability to exploit, you just need a web browser and an app proxy such as burp.
Here I am just going to give a summary of how to exploit a linux webserver running cgi app. Note, that shellshock exploit vector is not limited to web alone, it can be done via ssh, telnet, some cases ftp. For this example, we will inject the vuln code via the user-agent header. You will need to intercept the request and send it to a repeater:
As you can see, on the right pane indicates some json formatted output of a linux server uptime. Also, the uri is pointing to a 'status' script. This is a good indicator for shellshock exploitation. Let's try to injecting a simple code into the user-agent header:
() { :;}; /sbin/ifconfig
I tried other commands such as whoami, id but it nothing appeared, that is why it is important to test different commands and see which ones work. With positive visual from the ifconfig cmd, I will now try to use netcat to listen at port 1234 on the victim machine :) Always remember to test the command with simpler flags to check it's working. Thankfully, this was a Linux box and usually nc supports the '-e' flag, most bsd variants don't. The complete command I used is:
() { :;}; /usr/bin/nc -lvp 1234 -e /bin/bash
The fact that the righ pane didn't return any results is a good sign, it means that the victim machine is executing netcat. Time to connect to it:
There you go! For more great web pentesting exercises like this. Please visit my friend; Louis Nyffenegger awesome website @ www.pentesterlab.com
No comments:
Post a Comment