Executing commands with Shellshock
Shellshock (also called Bashdoor) is a bug that was discovered in the Bash shell in September 2014, allowing the execution of commands through functions stored in the values of environment variables.
Shellshock is relevant to us as web penetration testers because developers sometimes use calls to system commands in PHP and CGI scripts—more commonly in CGI—and these scripts may make use of system environment variables.
In this recipe, we will exploit a Shellshock vulnerability in the Bee-box-vulnerable virtual machine to gain command of execution on the server.
How to do it...
Log into
http://192.168.56.103/bWAPP/.In the Choose your bug: drop-down box, select Shellshock Vulnerability (CGI) and then click on Hack:
In the text, we can see something interesting: Current user: www-data. This may mean that the page is using system calls to get the username. It also gives us a hint: Attack the referrer.
Let's see what is happening behind the curtains and use BurpSuite...
