Friday, September 26, 2014

LFI - The Beauty of BashBug // Shellshock

Hi folks, if you have not seen my previous tutorial on Bash Bug Penetration Testing then kindly check it. In this part of bash bug, I am supplying very small trick to exploit bash via CGI.

Lab setup is the same as previously mentioned in my last tutorial. Also the methodology is the same. 
Limitation in last tutorial of bash bug : In that demonstration I was managed to exploit bash successfully, somehow I could not make sure from client side(my end) that exploitation has gone successful or not. For that I went to vulnerable VM machine and went to that particular directory and checked that the files has been created successfully or not.

Advantage of this technique : In this technique I am making a new header with a variable, in which I will give arbitiary comamnds in order to exploit in the victim''s box. On top of that the result of that command's output will be reflected back at my burp sute's response. So this is the smartness of this payload that we do not need to go to server's end in order to confirm that has our exploitation been successful or not. We can do this by sitting at client side only since the output will be reflected to us.

Proof of Concept : 

Step 1 : As mentioned in last post I am accessing application at client side and capturing request in burp suite.

  This is the vulnerable cgi-bin/status file which was made in vulnerable BASH version.

 As I have mentioned I am adding an extra header in order to check vulnerability. This is normal header like cookie, which contains chintan_variable named variable which will print the output of echo /etc/passwd in the response. :) So this is the beauty of that.

As you can see that chintan_variable has print users which are the content of passwd file of victim's box. Thus how we can do LFI. I know that LFI is different than this, however we usually target /etc/passwd so this can be done by this as well

No comments: