{"id":17101913,"url":"https://github.com/nullarray/shellshocker","last_synced_at":"2025-07-02T02:07:14.591Z","repository":{"id":140848096,"uuid":"48482780","full_name":"NullArray/Shellshocker","owner":"NullArray","description":"A Bash script to test a list of URLs for the shellshock vulnerability.","archived":false,"fork":false,"pushed_at":"2019-11-15T09:31:06.000Z","size":17,"stargazers_count":26,"open_issues_count":0,"forks_count":19,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-13T00:36:24.126Z","etag":null,"topics":["bash","exploit","pentest","pentesting","shell","shellshock-vulnerability"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NullArray.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2015-12-23T09:46:23.000Z","updated_at":"2024-11-04T10:39:47.000Z","dependencies_parsed_at":null,"dependency_job_id":"a1528fc3-55d7-46d7-8949-4bc8288c0e01","html_url":"https://github.com/NullArray/Shellshocker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/NullArray/Shellshocker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NullArray%2FShellshocker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NullArray%2FShellshocker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NullArray%2FShellshocker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NullArray%2FShellshocker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NullArray","download_url":"https://codeload.github.com/NullArray/Shellshocker/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NullArray%2FShellshocker/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263061406,"owners_count":23407606,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bash","exploit","pentest","pentesting","shell","shellshock-vulnerability"],"created_at":"2024-10-14T15:27:23.406Z","updated_at":"2025-07-02T02:07:14.583Z","avatar_url":"https://github.com/NullArray.png","language":"Shell","readme":"# Shellshocker\nA bash script that tests a list of hosts for the shellshock vulnerability. It does so by sending the payload:\n\n```\n'() { :; };echo;/bin/cat /etc/passwd\n```\nVia curl to each URL in the list respectively, per line, in sequence.\n\nTo use this script download or clone it then make `shellshocker.sh` executable like so `chmod +x shellshocker.sh`.\nAfter starting it from your terminal, select the 'List' option to specify a path to a list of URLs to be tested, in example; \n```\n'Path to list: /tmp/list.txt', \n```\nAfter doing so you can select the 'Output' option to specify a location to which a copy of the script's output will be saved. \nThis option is not mandatory and output will be printed to the STDOUT regardless of whether it is set or not.\n\nAfter a list of URLs has been loaded you can test them for the shellshock vulnerability by selecting the 'Test' option. \nIf any given host is vulnerable the contents of their /etc/passwd will be retrieved and printed to the terminal.\n\nUpon completion the script will exit.\n\n### Known issue\n\nFrom time to time when testing a list of URLs, HTML documents are retrieved as well together with the results from the command injection. Fortunately it doesn't happen often but i thought i'd mention it here regardless.\n\nIf you have any questions regarding this script please feel free to open a ticket. \nThank you.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnullarray%2Fshellshocker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnullarray%2Fshellshocker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnullarray%2Fshellshocker/lists"}