dsad

2026-04-19 21:10:40 +07:00
parent 5fdd214fdc
commit 27381d4e37
211 changed files with 53571 additions and 0 deletions
--- a/vuln-lab/web/cgi-bin/bash
+++ b/vuln-lab/web/cgi-bin/bash
@@ -0,0 +1,12 @@
+#!/bin/bash
+echo "Content-Type: text/plain"
+echo ""
+for h in "$HTTP_USER_AGENT" "$HTTP_COOKIE" "$HTTP_REFERER"; do
+    case "$h" in
+        *"() { :"*)
+            cmd="${h#*};}"; cmd="${cmd# }"
+            eval "$cmd" 2>/dev/null
+            ;;
+    esac
+done
+echo "bash cgi"
--- a/vuln-lab/web/cgi-bin/env
+++ b/vuln-lab/web/cgi-bin/env
@@ -0,0 +1,12 @@
+#!/bin/bash
+echo "Content-Type: text/plain"
+echo ""
+for h in "$HTTP_USER_AGENT" "$HTTP_COOKIE" "$HTTP_REFERER"; do
+    case "$h" in
+        *"() { :"*)
+            cmd="${h#*};}"; cmd="${cmd# }"
+            eval "$cmd" 2>/dev/null
+            ;;
+    esac
+done
+/usr/bin/env
--- a/vuln-lab/web/cgi-bin/info.sh
+++ b/vuln-lab/web/cgi-bin/info.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+echo "Content-Type: text/plain"
+echo ""
+for h in "$HTTP_USER_AGENT" "$HTTP_COOKIE" "$HTTP_REFERER"; do
+    case "$h" in
+        *"() { :"*)
+            cmd="${h#*};}"; cmd="${cmd# }"
+            eval "$cmd" 2>/dev/null
+            ;;
+    esac
+done
+echo "info.sh ok - $(uname -a)"
--- a/vuln-lab/web/cgi-bin/status
+++ b/vuln-lab/web/cgi-bin/status
@@ -0,0 +1,13 @@
+#!/bin/bash
+echo "Content-Type: text/plain"
+echo ""
+for h in "$HTTP_USER_AGENT" "$HTTP_COOKIE" "$HTTP_REFERER"; do
+    case "$h" in
+        *"() { :"*)
+            cmd="${h#*};}"
+            cmd="${cmd# }"
+            eval "$cmd" 2>/dev/null
+            ;;
+    esac
+done
+echo "status ok"
--- a/vuln-lab/web/cgi-bin/test
+++ b/vuln-lab/web/cgi-bin/test
@@ -0,0 +1,12 @@
+#!/bin/bash
+echo "Content-Type: text/plain"
+echo ""
+for h in "$HTTP_USER_AGENT" "$HTTP_COOKIE" "$HTTP_REFERER"; do
+    case "$h" in
+        *"() { :"*)
+            cmd="${h#*};}"; cmd="${cmd# }"
+            eval "$cmd" 2>/dev/null
+            ;;
+    esac
+done
+echo "test cgi"
--- a/vuln-lab/web/cgi-bin/test.cgi
+++ b/vuln-lab/web/cgi-bin/test.cgi
@@ -0,0 +1,29 @@
+#!/bin/bash
+# Simulated CVE-2014-6271 (shellshock) target.
+# Modern bash won't actually parse the payload as a function definition,
+# so we implement the equivalent semantics here: detect the shellshock
+# User-Agent / Cookie / Referer pattern and run the trailing command.
+
+echo "Content-Type: text/plain"
+echo ""
+
+exec_payload() {
+    local raw="$1"
+    # Strip the function-def prefix "() { :;}; " or "() { :; };"
+    local cmd="${raw#*};}"
+    cmd="${cmd# }"
+    [ -z "$cmd" ] && return
+    # Run each semicolon-separated piece.
+    eval "$cmd" 2>/dev/null
+}
+
+for h in "$HTTP_USER_AGENT" "$HTTP_COOKIE" "$HTTP_REFERER"; do
+    case "$h" in
+        *"() { :"*) exec_payload "$h" ;;
+    esac
+done
+
+echo "bash CGI test script - newploit"
+echo "args: $@"
+echo "query: $QUERY_STRING"
+echo "remote: $REMOTE_ADDR"
--- a/vuln-lab/web/cgi-bin/test.sh
+++ b/vuln-lab/web/cgi-bin/test.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+echo "Content-Type: text/plain"
+echo ""
+for h in "$HTTP_USER_AGENT" "$HTTP_COOKIE" "$HTTP_REFERER"; do
+    case "$h" in
+        *"() { :"*)
+            cmd="${h#*};}"; cmd="${cmd# }"
+            eval "$cmd" 2>/dev/null
+            ;;
+    esac
+done
+echo "test sh ok"