w3af can now find shell shock vulnerabilities

w3af-console.txt

w3af>>> plugins
w3af/plugins>>> audit shell_shock
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target http://.../test-env.cgi
w3af/config:target>>> back
The configuration has been saved.
w3af>>> start
Shell shock was found at: "http://.../test-env.cgi", using HTTP method GET. 
The modified header was: "User-Agent" and it's value was: "() { test; }; ping -c 3 localhost". 
This vulnerability was found in the requests with ids 36, 40, 44, 48 and 52.
Scan finished in 56 seconds.
Stopping the core...
w3af>>> exit
w3af>>> 
Liked it? Contribute with some lines of code!

Try it yourself!

git clone https://github.com/andresriancho/w3af.git
cd w3af
git checkout develop
./w3af_console

And then run the commands you see above. The source code is available here, pull requests with improvements and different detection techniques are welcome!

If you want to run the shell_shock plugin against all URLs in your site (recommended) here's the script to do it. Create a file called shell_shock.w3af in w3af's root, copy+paste this:

plugins
crawl web_spider
audit shell_shock
back

target
set target http://.../
back

start

Set the target to your web application and then:

$ ./w3af_console -s shell-shock.w3af

Shell shock exploitation gist

Is there a way to feed in a list of targets instead of a single line entry?

how do you install the shell_shock into the plugins?

there is no "shell_shock" plugin. the code is in the os_commanding plugin

(x@box:~/w3af)$ ./w3af_console
w3af>>> plugins
w3af/plugins>>> audit shell_shock
Unknown plugin: 'shell_shock'
w3af/plugins>>>

the initial commits were made to os_commanding from what i can see