Skip to content

Files

Latest commit

ba8186e · May 28, 2023

History

History

CVE-2014-6271

Shellshock Remote Command Injection (CVE-2014-6271)

中文版本(Chinese version)

Build and run the vulnerable environment:

docker compose build
docker compose up -d

When you visit http://your-ip/ you should see two files:

  • safe.cgi
  • victim.cgi

safe.cgi generated by the latest version of bash, and victim.cgi is the page generated by bash4.3 which is vulnerable to shellshock.

We can send include our payload in the user-agent string when visiting victim.cgi and the command is executed successfully:

The same request sent to safe.cgi is unaffected: