Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
w3af can now find shell shock vulnerabilities
w3af>>> plugins
w3af/plugins>>> audit shell_shock
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://.../test-env.cgi
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start
Shell shock was found at: "http://.../test-env.cgi", using HTTP method GET.
The modified header was: "User-Agent" and it's value was: "() { test; }; ping -c 3 localhost".
This vulnerability was found in the requests with ids 36, 40, 44, 48 and 52.
Scan finished in 56 seconds.
Stopping the core...
w3af>>> exit
w3af>>>
Liked it? Contribute with some lines of code!
@andresriancho

This comment has been minimized.

Copy link
Owner Author

commented Sep 25, 2014

Try it yourself!

git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_console

And then run the commands you see above. The source code is available here, pull requests with improvements and different detection techniques are welcome!

@andresriancho

This comment has been minimized.

Copy link
Owner Author

commented Sep 25, 2014

If you want to run the shell_shock plugin against all URLs in your site (recommended) here's the script to do it. Create a file called shell_shock.w3af in w3af's root, copy+paste this:

plugins
crawl web_spider
audit shell_shock
back

target
set target http://.../
back

start

Set the target to your web application and then:

$ ./w3af_console -s shell-shock.w3af
@andresriancho

This comment has been minimized.

Copy link
Owner Author

commented Sep 26, 2014

@64nickel

This comment has been minimized.

Copy link

commented Sep 26, 2014

Is there a way to feed in a list of targets instead of a single line entry?

@DerAddi

This comment has been minimized.

Copy link

commented Sep 28, 2014

how do you install the shell_shock into the plugins?

@n0bd

This comment has been minimized.

Copy link

commented Oct 2, 2014

there is no "shell_shock" plugin. the code is in the os_commanding plugin

(x@box:~/w3af)$ ./w3af_console
w3af>>> plugins
w3af/plugins>>> audit shell_shock
Unknown plugin: 'shell_shock'
w3af/plugins>>>

the initial commits were made to os_commanding from what i can see

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.