Re: [Haifux] The Bash vulnerability (shellshock)

2014-09-27 Thread boazg
you need to find a vulnerable site. CGI doesn't have to pass through bash. you need a site that opens a subshell for something. they aren't uncommon, but it's not every linux-CGI site. On Fri, Sep 26, 2014 at 2:33 PM, Eli Billauer e...@billauer.co.il wrote: Hi, I did # yum upgrade bash on

Re: [Haifux] The Bash vulnerability (shellshock)

2014-09-27 Thread boazg
try it with DHCP instead https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ On Sat, Sep 27, 2014 at 11:36 AM, boazg boaz.ge...@gmail.com wrote: you need to find a vulnerable site. CGI doesn't have to pass through bash. you need a site that opens a subshell for

Re: [Haifux] The Bash vulnerability (shellshock)

2014-09-27 Thread Guy Edri
Hey Eli. http://www.tripwire.com/state-of-security/off-topic/shell-shocked-bash-bug-detection-tools-cve-2014-6271/ http://shellshocktest.com/ https://github.com/mubix/shellshocker-pocs enjoy your PT with all those tools. On Sat, Sep 27, 2014 at 11:37 AM, boazg boaz.ge...@gmail.com wrote: