Shellshock is a software configuration flaw within how bash handled functions being defined within environment variables (Request Headers) and exported them. Web Servers that utilized /bin/sh on the back end, utilized CGI scripts, or used popen() or system() functions are vulnerable to this exploit. (@lcamtuf) The alternative use is to use /bin/dash which does not have the vulnerability.
An example is a site (e.g http://test.com/serverstats.cgi) that runs a /bin/bash script. By looking at the site's source performs a simple GET requests that runs the a script but since its using /bin/bash, by modifying the User Agent, Referer, or Cookie headers we can get RCE on server side.
Use echo for padding as servers can return a 500 error if not used.
HTTP_USER_AGENT='() { :;};echo;/usr/bin/id'# HTTP_USER_AGENT' is CGI Environment Variable, rest is the shellshock injection# () { :;} is the Shellshock Prefix. Indicates variable is a BASH function. : means do nothing on BASH.# ;echo is padding. When injecting into HTTP Headers prepending the command with an echo can help avoid server errors.# ;/usr/bin/id is the command that will be executed. Ping or nslookup could be used for blind injections.
Exploiting
You can use Curl command or Burp Repeater for fast modifications
