I read in the news that Shellshock is another bigger vulnerability after Heartbleed. The code to test if our Bash shell is vulnerable or not is:
env X="() { :;} ; echo shellshock" /bin/sh -c "echo completed"
In detail, how does this code exactly work? What does the code env X="() { :;} ; do?
How is it vulnerable and can it be exploited if I am hosting a website in a Linux environment where the shell is vulnerable?
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
做什么env?
根据文档,env在修改后的环境中运行程序。
env [OPTION]... [-] [NAME=VALUE]... [COMMAND [ARG]...]
很明显,这x是一个名称/变量,() { :;}; echo vulnerable'是变量的值。
现在,什么是() { :;};?
导出函数时,Bash 将其定义作为值存储在环境变量中:
$ x() {echo hello world;}
$ export x
$ env | grep x
x=() {echo hello world};
现在,当x='() {:;}'意味着类似于写作
$ x() {:;}
$ export x
$ env | grep x
也就是说,我们间接export x创建了env. 这:是 Bash 中的空语句。