Courses / Remote Code Execution (RCE)

Shellshock (CVE-2014-6271)

Last Edit: 10-05-2024

Pro Chapter

This chapter is exclusive to Pro members

Upgrade to Pro to unlock:

Full access to all courses & chapters
Advanced learning materials
New Courses and Labs every month

Exclusive Guided Mode in Labs
Official step-by-step solutions
All Labs features (extend time, etc)

Upgrade to Pro Now $11.33/mo Yearly Plan $8.50/mo

Shellshock (CVE-2014-6271)

Shellshock is a vulnerability in the GNU Bash shell that was widely used in Unix-based systems. The vulnerability allowed attackers to inject and execute code via environment variables.

Attack Vector

An attacker could trigger the vulnerability by manipulating the HTTP_USER_AGENT variable in HTTP requests to execute arbitrary commands on a web server.

Example Code

Below is an example of an HTTP request exploiting the Shellshock vulnerability:

GET /cgi-bin/any_script.cgi HTTP/1.1 Host: vulnerable.example.com User-Agent: () { :;}; /bin/bash -c 'echo Hello, I am executing code!'

In this example, the User-Agent

header contains a Bash function followed by a command to execute. If the web server is vulnerable, it would execute the echo command.

Pro Content

This chapter contains advanced content available to Pro members only.

Upgrade to Pro

Course Summary

Courses / Remote Code Execution (RCE)

Shellshock (CVE-2014-6271)

Pro Chapter

Upgrade to Pro to unlock:

Shellshock (CVE-2014-6271)

Attack Vector

Example Code

Pro Content

Course Summary

RCE: Introduction

RCE in PHP

Shellshock (CVE-2014-6271)