A simple Shellshock scanner in python
Test 1: uses the command sleep in different headers and check differences between delays to check the vulnerability. Test 2: uses the command ping -cX 127.0.0.1 and check differences between delays. Test 3: try to print a string and get it (causes a lot of False Positives)
Receives a host list and a cgi list (and the number of threads).
It uses only 1 thread per host to avoid time differences caused by multiple requests at the same time.
It can cause some False positives (Retest the possible possitives).
I know is not the most portable code that you have ever seen but... it works ^ ^u. Anyway, any improvement is always welcome :)
- Try to write a file in /var/www and read it? (this would be quite intrusive)
- Send mail with info
- Ping IP address (then have a listener)
Output CSV file
- WARNING : It is set to True if the delay of the request is more than the introduced with the command (sleep 9 == delay more than 9 s)
- VULNERABLE : It is set to True if Warning is True and the difference between the delays of the normal request and the "shellshock" one is high.
- ERROR : It is set to True if an exception happens (usually Timeout or an invalid CGI or Host)
- The other columns are almost self explanatory
If a 100K lines CSV is a bit Long, you can search quickly for Vulnerable lines with the command: $ grep '^[^,],[^,],True' <output.csv>
Or Warning = True lines with: $ grep '^[^,],[^,],[^,],[^,],True' <output.csv>
Have fun :D