Hey guys. So in the previous video we saw how we can exploit shellshock vulnerability using Metasploit Framework. But in this video, I'm going to do the same thing. But I'll be sending an HTTP request with w get and curl instead, and exploit the shell. So first, we're going to do the same thing like how we did last time. So since we already have the file, the executable file which can be accessed from the attacker, machine browser, we will just going to go with that.

So in this case, I think I named it as a hack.sh. Let's see if I can still access it. Let's actually see the IP of the Metasploit able to, because 1921680 153 let's go back to Kali and try to access our file 192168 153 and it was in CGI bin pack.sh. Awesome, so we can still access it. That's perfect and sweet. exploit this.

So the easiest way to actually do this is to the easiest way to test a web server via HTTP request is to inject the bash command through the user agent itself. So what I'm trying to say is like, you know, trying to call, when you're trying to do a W get call, you can just inject the code right here itself. So I'm actually going to use the same code that I used to test out if the bash was vulnerable for Metasploit able to or not like in the previous video that I'm going to use the same code. So without just creating a function and putting a colon in there, to see if the code is the same. Then bash something, let's say vulnerable. machine which is 1921680 153.

Sure, there is one, which is very cool. And after that, I'm going to just put CGI bin. And hat.sh, which is actually the following. That should be the law. Yes. You got everything covered.

We have the colon. Okay, so I gotta put that up, close this out to perfect, enter. Awesome. So we are getting an internal server, this is actually a sign that the server is exploitable. So that's a good sign. If we get a 566 server error.

That means that the server is probably more mobile to an exploit. So yeah, that's good for us. Now we can do the same thing with a curl. You can just do the same thing, just get the same you can Copy Paste it when servers is using gash aids from Dasher, there's only difference. As you can see they're getting 500 server again internal server error 500 internal server that means the servers probably exploitable. That's basically what it means.

Now let's call it the double gates to swap out the user agent string, which actually shows some file details. So let's go with like a password file to do. So I'm going to do the same thing. W get view and open the brackets just chop the function. Instead of typing just colon, I'm gonna do something like test into it. And then close it out.

Echo and the content type here it's going to be text plain because we're trying to just output a text file which is a password text file. So it's gonna be content type. And we're gonna just say text plain and just close it up. And then your phone, forget your semicolons just echo it again acquit so that we can have that and then the path pin and we return a candidate. So basically we're gonna output it so we're going to put cat and then etc. Password fall back, and then the target machine ID and the path that's going to be 19216 a nine to one.

Let me see if the IP is still the same. Yes, okay. 123 150 and now it's gonna be CGI bin, packed dot close it out. Well, we're going to close anything because we already have it closed right here. Let's enter it. Awesome.

So we got to save that as a shot. Let's see if you got it actually saved. So let's type this Cat Cat got a search. Awesome. So as you can see we are all the password files. Using just an HTTP request, we were able to exploit the we're able to exploit the vulnerable machine which is about as portable to we can also do this like using a curl command.

So basically You can just do something like I'm sure. So we're gonna do something like with a curl command. So I'm going to do is like you can just do something like curl and the target machine which is 1921680 53. CGI, the same pap and pat.sh. And now answered for this particular thing we're gonna change a little bit because we because this curl command we got to do custom and ignore commands. So for that I was just gonna put dash edge and then custom Id and once we do that, we should be hearing hope.

Okay, so I'm going to start something. Let's see. So I got the opening open the brackets sheepy Gosh, we we've got that working. We open a custom ignore Oh, just that because I kept it together and I forgot to close it. That's why now it should work. There you go.

So as you can see, we got an internal error again. So using the code Come on instant, we got to work in. Now, let's try to do the same thing by trying to get the password file just like how we did for our other case with HTML. So I'm going to do curl. HTTP, the same target machine. So I'm just gonna actually copy paste operator.

This part and it's always good to like write it down all the time so that you can like, practice. But since I'm only doing it multiple times, we're just going to copy paste it and just do dash H is command for curl and then custom. And then the same thing, just close it back up, and ignored as well. We're going to be working with and a code contest. Type in this case is going to be the HTML text HTML file. So we got to put that I mentioned that just also it's not going to pop up and text HTML.

Okay, and now what else is locked so we got the path, we got the content, we got everything. Oh, we gotta put them we got to do the PAP of the password file. So let's first echo it real quick. And then put the path which has been and we want to cat it because we wanna show it we want to see what is in the file and then pass WD that should be so we got the call them closer to our attacker machine, got the script and then we got we ignored the command. we ignored it and then we got the echo and then can't interpret HTML. And then we got Condon type as bait, we got the echo and then we got the con gentleman being cat.

Yep, that looks good. Let's see if it works. So oops. That's that's not what it's supposed to do. Let's see curl. http 1968 2153.

Let's see if this part of this changed up the chain. So it's 135. So let's change it to 135. Now to work. Still not working. So I'm thinking there's something wrong with the code.

So I called it HTTP and then an edge custom The night. That's right. Oh, I forgot to put a cooler in their email semicolon. That's all the needs to just completely crush it up. But other than that, I think we're good. We have something else we have the HTML code, see?

Awesome. There you go. So we got all the password files and everything right here. And it just showed you how you can just use curl or w get to get and to exploit a vulnerable machine. I hope you enjoy this video. We'll see you in the next one.