漏洞平台

POC详情： 0611f83fd0c58e77f7138f653035624227a8a06d

来源

https://github.com/K3ysTr0K3R/CVE-2021-42013-EXPLOIT

关联漏洞

标题： Apache HTTP Server 安全漏洞 (CVE-2021-42013)
描述：Apache HTTP Server是美国阿帕奇（Apache）基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 存在安全漏洞，该漏洞源于发现 Apache HTTP Server 2.4.50 版本中对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护，则这些请求可能会成功。如果还为这些别

描述

A PoC exploit for CVE-2021-42013 - Apache 2.4.49 & 2.4.50 Remote Code Execution

介绍

# 🚨 CVE-2021-42013 - Apache 2.4.49 & 2.4.50 Remote Code Execution 🚨

CVE-2021-42013 builds upon the previously identified vulnerability, CVE-2021-41773. Despite the Apache team's efforts to address CVE-2021-41773 in version 2.4.50, subsequent investigations revealed that the fix fell short of fully mitigating the security risk.
This vulnerability exploits a path traversal attack vector, allowing attackers to manipulate URLs, mapping them to files outside the intended directories configured by Alias-like directives. When these files lack proper protection, such as the "require all denied" configuration, attackers can exploit this vulnerability by executing commands from the vulnerable path.
# Exploitation and Impact 💥

The severity of this vulnerability escalates if CGI scripts are enabled for the aliased paths. Exploiting CVE-2021-42013 grants attackers the ability to remotely execute arbitrary code on the targeted server, potentially leading to a complete system compromise as seen below. 

![Alt Text](https://github.com/K3ysTr0K3R/CVE-2021-42013-EXPLOIT/blob/main/Screenshot_2024-01-15_08-14-03.png)

It is crucial to act promptly by upgrading to secure versions of Apache HTTP Server.
# Mitigation 🛠️

Effectively countering the risks posed by CVE-2021-42013 requires upgrading to a version beyond Apache HTTP Server 2.4.50. Regularly monitoring security advisories and promptly applying updates are fundamental practices for upholding web server security.
# Educational Disclaimer 📚

The Proof of Concept (PoC) exploit provided in this repository is for educational purposes only. It is intended to enhance understanding and awareness of the CVE-2021-42013 vulnerability. Any use of the PoC exploit for malicious intent is strictly prohibited. The repository and its contributors disclaim any responsibility for misuse or any consequences arising from unauthorized activities.

文件快照


 [4.0K]  /data/pocs/0611f83fd0c58e77f7138f653035624227a8a06d
├── [6.8K]  CVE-2021-42013.py
├── [1.9K]  README.md
└── [ 91K]  Screenshot_2024-01-15_08-14-03.png

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。