Shellshock (also called Bashdoor) is a bug that was discovered in the bash shell in September 2014, allowing the execution of commands through functions stored in the values of environment variables.
Shellshock is relevant to us as web penetration testers because developers sometimes use calls to system commands in PHP and CGI scripts—more commonly in CGI—if these scripts make use of system environment variables.
In this recipe, we will exploit a Shellshock vulnerability in the bee-box vulnerable virtual machine to gain command execution on the server.
