30 lines
810 B
Bash
30 lines
810 B
Bash
#!/bin/bash
|
|
# Simulated CVE-2014-6271 (shellshock) target.
|
|
# Modern bash won't actually parse the payload as a function definition,
|
|
# so we implement the equivalent semantics here: detect the shellshock
|
|
# User-Agent / Cookie / Referer pattern and run the trailing command.
|
|
|
|
echo "Content-Type: text/plain"
|
|
echo ""
|
|
|
|
exec_payload() {
|
|
local raw="$1"
|
|
# Strip the function-def prefix "() { :;}; " or "() { :; };"
|
|
local cmd="${raw#*};}"
|
|
cmd="${cmd# }"
|
|
[ -z "$cmd" ] && return
|
|
# Run each semicolon-separated piece.
|
|
eval "$cmd" 2>/dev/null
|
|
}
|
|
|
|
for h in "$HTTP_USER_AGENT" "$HTTP_COOKIE" "$HTTP_REFERER"; do
|
|
case "$h" in
|
|
*"() { :"*) exec_payload "$h" ;;
|
|
esac
|
|
done
|
|
|
|
echo "bash CGI test script - newploit"
|
|
echo "args: $@"
|
|
echo "query: $QUERY_STRING"
|
|
echo "remote: $REMOTE_ADDR"
|