**CGI 스크립트는 perl 스크립트**이므로, **.cgi** 스크립트를 실행할 수 있는 서버를 침투했다면, perl 역쉘이 있는 **/usr/share/webshells/perl/perl-reverse-shell.pl**을 업로드할 수 있습니다. **.pl** 확장자를 **.cgi**로 변경하고, **실행 권한**을 부여한 다음, 웹 브라우저에서 역쉘에 **접근**하여 실행할 수 있습니다.
**CGI 취약점**을 테스트하기 위해 `nikto -C all` \(및 모든 플러그인\)을 사용하는 것이 좋습니다.
**ShellShock**는 유닉스 기반 운영 체제에서 널리 사용되는 **Bash** 명령 줄 셸에 영향을 주는 취약점입니다. 이 취약점은 Bash가 응용 프로그램에서 전달된 명령을 실행하는 능력을 대상으로 합니다. 취약점은 프로세스가 컴퓨터에서 실행되는 방식에 영향을 주는 동적으로 명명된 값인 **환경 변수**의 조작에 있습니다. 공격자는 환경 변수에 **악성 코드**를 첨부하여 변수를 수신하면 실행됩니다. 이를 통해 공격자는 시스템을 잠재적으로 침해할 수 있습니다.
Curl is a command-line tool used for making HTTP requests. It can be used to test and exploit various vulnerabilities in web applications. In this section, we will discuss three types of Curl-based attacks: reflected, blind, and out-of-band attacks.
### **Reflected Attacks**
Reflected attacks involve injecting malicious code into user input that is then reflected back in the server's response. This type of attack is commonly found in web applications that do not properly sanitize user input.
To perform a reflected attack using Curl, you can use the `-d` or `--data` option to send the payload as part of the HTTP request. For example:
In this example, the payload is a JavaScript code that will be executed when the server reflects it back in the response. This can be used to perform cross-site scripting (XSS) attacks.
### **Blind Attacks**
Blind attacks are similar to reflected attacks, but the server does not directly reflect the injected code in its response. Instead, the attacker needs to find a way to extract the response indirectly.
In this example, the payload is a JavaScript code that redirects the user to the attacker's website and includes their cookie information in the URL. By checking the contents of the `response.txt` file, the attacker can extract the user's cookie.
### **Out-of-Band Attacks**
Out-of-band attacks involve sending data from the target server to an external server controlled by the attacker. This can be useful when the attacker cannot directly access the server's response.
To perform an out-of-band attack using Curl, you can use the `--dns` option to make DNS requests to the attacker's server. For example:
In this example, the payload is an HTML image tag that triggers an error and sends the user's cookie data to the attacker's server. By monitoring the DNS requests made to `attacker.com`, the attacker can extract the user's cookie.
These are just a few examples of how Curl can be used to perform reflected, blind, and out-of-band attacks. It is important to note that these attacks should only be performed on systems that you have permission to test.
[**Shellsocker**](https://github.com/liamim/shellshocker)은 Shellshock 취약점을 이용한 웹 서버 취약점 스캐너입니다. Shellshock는 웹 서버에서 발견된 취약점으로, 원격에서 악의적인 코드 실행을 허용할 수 있습니다. Shellsocker는 이러한 취약점을 자동으로 탐지하고 스캔하여 웹 서버의 보안을 강화하는 데 도움을 줍니다.
Once you have identified a CGI script on a web server, the next step is to exploit it. Exploiting a CGI script involves finding vulnerabilities or weaknesses in the script that can be leveraged to gain unauthorized access or perform malicious actions.
### Common CGI Exploits (일반적인 CGI 악용)
1. Command Injection (명령 주입): This exploit occurs when an attacker is able to inject malicious commands into the CGI script, which are then executed by the server. This can allow the attacker to execute arbitrary commands on the server and potentially gain full control.
2. File Inclusion (파일 포함): This exploit occurs when an attacker is able to include arbitrary files in the CGI script, which can lead to the disclosure of sensitive information or the execution of malicious code.
3. Path Traversal (경로 탐색): This exploit occurs when an attacker is able to manipulate the file path used by the CGI script, allowing them to access files outside of the intended directory. This can lead to the disclosure of sensitive information or the execution of arbitrary code.
4. Remote Code Execution (원격 코드 실행): This exploit occurs when an attacker is able to execute arbitrary code on the server by exploiting a vulnerability in the CGI script. This can allow the attacker to gain full control over the server.
### Exploit Tools (악용 도구)
There are several tools available that can assist in exploiting CGI scripts. Some popular ones include:
- **Metasploit Framework**: A powerful framework that provides a wide range of exploits, including those targeting CGI scripts.
- **Nikto**: A web server scanner that can identify vulnerabilities in CGI scripts and provide potential exploits.
- **ExploitDB**: A comprehensive database of exploits that can be used to search for specific vulnerabilities in CGI scripts.
In addition to using automated tools, manual exploitation can also be performed by analyzing the CGI script and identifying potential vulnerabilities. This can involve examining the script's source code, input validation, and error handling mechanisms.
Once a vulnerability is identified, the attacker can craft a payload or exploit code to take advantage of the vulnerability and gain unauthorized access or perform malicious actions.
### Countermeasures (대응책)
To protect against CGI exploits, it is important to implement the following countermeasures:
- **Input Validation**: Ensure that all user input is properly validated and sanitized to prevent command injection, file inclusion, and path traversal attacks.
- **Secure Configuration**: Configure the web server and CGI scripts to run with the least privileges necessary and disable unnecessary features or functionality.
- **Regular Updates**: Keep the web server and CGI scripts up to date with the latest security patches and updates to mitigate known vulnerabilities.
- **Web Application Firewall (WAF)**: Implement a WAF to monitor and filter incoming requests to the web server, blocking known CGI exploits.
By implementing these countermeasures, the risk of CGI exploits can be significantly reduced, helping to protect the web server and the sensitive data it contains.
HTTP\_PROXY 변수는 웹 서버에서 사용될 수 있습니다. "**Proxy: <IP\_attacker>:<PORT>**"라는 **헤더**를 보내보고, 서버가 세션 동안 어떤 요청을 수행하는지 확인해보세요. 그러면 서버가 수행한 각 요청을 캡처할 수 있습니다.
**취약점과 가능한 공격에 대한 자세한 정보:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**