关联漏洞
标题:Apache HTTP Server 安全漏洞 (CVE-2021-42013)Description:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 存在安全漏洞,该漏洞源于发现 Apache HTTP Server 2.4.50 版本中对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护,则这些请求可能会成功。如果还为这些别
Description
A PoC exploit for CVE-2021-42013 - Apache 2.4.49 & 2.4.50 Remote Code Execution
介绍
# 🚨 CVE-2021-42013 - Apache 2.4.49 & 2.4.50 Remote Code Execution 🚨
CVE-2021-42013 builds upon the previously identified vulnerability, CVE-2021-41773. Despite the Apache team's efforts to address CVE-2021-41773 in version 2.4.50, subsequent investigations revealed that the fix fell short of fully mitigating the security risk.
This vulnerability exploits a path traversal attack vector, allowing attackers to manipulate URLs, mapping them to files outside the intended directories configured by Alias-like directives. When these files lack proper protection, such as the "require all denied" configuration, attackers can exploit this vulnerability by executing commands from the vulnerable path.
# Exploitation and Impact 💥
The severity of this vulnerability escalates if CGI scripts are enabled for the aliased paths. Exploiting CVE-2021-42013 grants attackers the ability to remotely execute arbitrary code on the targeted server, potentially leading to a complete system compromise as seen below.
It is crucial to act promptly by upgrading to secure versions of Apache HTTP Server.
# Mitigation 🛠️
Effectively countering the risks posed by CVE-2021-42013 requires upgrading to a version beyond Apache HTTP Server 2.4.50. Regularly monitoring security advisories and promptly applying updates are fundamental practices for upholding web server security.
# Educational Disclaimer 📚
The Proof of Concept (PoC) exploit provided in this repository is for educational purposes only. It is intended to enhance understanding and awareness of the CVE-2021-42013 vulnerability. Any use of the PoC exploit for malicious intent is strictly prohibited. The repository and its contributors disclaim any responsibility for misuse or any consequences arising from unauthorized activities.
文件快照
[4.0K] /data/pocs/0611f83fd0c58e77f7138f653035624227a8a06d
├── [6.8K] CVE-2021-42013.py
├── [1.9K] README.md
└── [ 91K] Screenshot_2024-01-15_08-14-03.png
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →