So it is said that if you know your enemies and know yourself, you will not be put at risk even if you have a hundred battles. —– The Art of War
This vulnerability impacts the Bourne Again Shell “Bash”. Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface “CGI”.
Detail Assessment and Planning
- Port scan to identify opened ports, running services and services version. —-Nmap
- Identify vulnerability and path
/cgi-bin/status. —-Burp, Firebug
- Exploit shellshock vuln get the reverse shell —- NC
Weaknesses and Strengths
Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.
By visiting the application with Burp, I can detect that multiple URL are accessed when the page is loaded:
Also by using Firebug, I can identify that CGI page which call system command
listen port 443
# nc -l -p 443
192.168.79.156 is the attacker’s machine and 192.168.79.164 is victim machine.