Skip to content

Instantly share code, notes, and snippets.

@andresriancho
Last active August 29, 2015 14:06
Show Gist options
  • Save andresriancho/4ef11d75c1f517c24f94 to your computer and use it in GitHub Desktop.
Save andresriancho/4ef11d75c1f517c24f94 to your computer and use it in GitHub Desktop.
w3af can now find shell shock vulnerabilities
w3af>>> plugins
w3af/plugins>>> audit shell_shock
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://.../test-env.cgi
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start
Shell shock was found at: "http://.../test-env.cgi", using HTTP method GET.
The modified header was: "User-Agent" and it's value was: "() { test; }; ping -c 3 localhost".
This vulnerability was found in the requests with ids 36, 40, 44, 48 and 52.
Scan finished in 56 seconds.
Stopping the core...
w3af>>> exit
w3af>>>
Liked it? Contribute with some lines of code!
@andresriancho
Copy link
Author

Try it yourself!

git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_console

And then run the commands you see above. The source code is available here, pull requests with improvements and different detection techniques are welcome!

@andresriancho
Copy link
Author

If you want to run the shell_shock plugin against all URLs in your site (recommended) here's the script to do it. Create a file called shell_shock.w3af in w3af's root, copy+paste this:

plugins
crawl web_spider
audit shell_shock
back

target
set target http://.../
back

start

Set the target to your web application and then:

$ ./w3af_console -s shell-shock.w3af

@andresriancho
Copy link
Author

@64nickel
Copy link

Is there a way to feed in a list of targets instead of a single line entry?

@DerAddi
Copy link

DerAddi commented Sep 28, 2014

how do you install the shell_shock into the plugins?

Copy link

ghost commented Oct 2, 2014

there is no "shell_shock" plugin. the code is in the os_commanding plugin

(x@box:~/w3af)$ ./w3af_console
w3af>>> plugins
w3af/plugins>>> audit shell_shock
Unknown plugin: 'shell_shock'
w3af/plugins>>>

the initial commits were made to os_commanding from what i can see

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment