August 2018
Intermediate to advanced
404 pages
10h 22m
English
In the first five steps, we discovered that there was a call to a shell script and, as it should have been run by a shell interpreter, it may have been bash or a vulnerable version of bash. To verify that, we performed the following test:
() { :;}; echo "Vulnerable:"
The first part, () { :;};, is an empty function definition since bash can store functions as environment variables, and this is the core of the vulnerability, as the parser keeps interpreting (and executing) the commands after the function ends. This allows us to issue the second part, echo "Vulnerable:", a command that simply returns and echoes what it is given as input.
The vulnerability occurs in the web server because the CGI implementation maps all the ...
Read now
Unlock full access