Shellshock (CVE-2014-6271 and related CVEs) is a critical security vulnerability in Bash (Bourne Again SHell) , a Unix/Linux command-line shell. Discovered in September 2014, it allowed attackers to execute arbitrary commands on a vulnerable system by appending malicious code to environment variables.
bash --version Vulnerable versions: 1.14 through 4.3 (before patch). Run: shell shocker hack
GET /example.cgi HTTP/1.1 Host: victim.com User-Agent: () :;; echo; /bin/cat /etc/passwd When the web server passes HTTP_USER_AGENT as an environment variable to Bash, the payload executes cat /etc/passwd and sends output in the HTTP response. On Your System Check your Bash version: Shellshock (CVE-2014-6271 and related CVEs) is a critical
It is often called the "Shellshocker hack" because it shocked the cybersecurity world: Bash is installed on billions of devices (servers, macOS systems, routers, IoT devices), and the bug had existed for over 25 years. At its core, Bash supports function definitions inside environment variables. For example: Run: GET /example
#!/bin/bash echo "Content-type: text/plain" echo "" echo "Hello $HTTP_USER_AGENT"