关联漏洞
标题:
Apache HTTP Server 安全漏洞
(CVE-2024-38475)
描述:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 2.4.59及之前版本存在安全漏洞,该漏洞源于输出转义不当,允许攻击者将URL映射无法通过任何URL直接访问的文件系统位置,从而导致代码执行或源代码泄露。
介绍
# CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC
Author: **abrewer251**
A proof-of-concept tool for testing CVE-2024-38475 ("SonicBoom") Apache URL traversal vulnerability. This script automates TLS negotiation, directory scanning, traversal verification, and payload fuzzing to identify unauthorized file access.
## Description
This repository contains a Python script (`poc.py`) that:
1. Negotiates the highest supported TLS/SSL protocol with the target.
2. Verifies generic directory traversal behavior.
3. Scans a directory wordlist for 403-protected directories.
4. Confirms traversal vulnerability per-directory.
5. Fuzzes file paths using custom payloads to detect real leaks.
6. Logs results to a specified output file.
This PoC helps security researchers and pen-testers rapidly validate the SonicBoom URL traversal flaw in Apache servers.
## Prerequisites
* **Python**: 3.6 or higher
* **Dependencies**:
* `requests`
Install dependencies via pip:
```
pip install -r requirements.txt
```
> **Note**: `requirements.txt` should contain:
>
> ```
> requests
> ```
## Installation
1. Clone the repository:
```
git clone https://github.com/abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC.git
cd CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC
```
2. Make the script executable (optional):
```
chmod +x poc.py
```
## Run autoCurl.py to find out if PUT is a method allowed by the endpoint before continuing
## Usage of poc.py
```
python3 poc.py [OPTIONS]
```
### Required Argument
* `--schema` Protocol to use (`http` or `https`)
* `--host` Target host or IP
* `--port` Target port
* `--directory-wordlist` Path to directory wordlist file
* `--file-wordlist` Path to file wordlist file
* `--output` Path to write results to
### Optional Flags
| Flag | Description | Default |
| ------------------------- | ------------------------------------------------ | ------------ |
| `-p`, `--payloads` <list> | URL-encoded payloads to append (space-separated) | `%3f %3Fany` |
| `-h`, `--help` | Show help message | — |
## Examples
````
python3 poc.py \
--schema https \
--host 192.0.2.10 \
--port 8443 \
--directory-wordlist dirs.txt \
--file-wordlist files.txt \
--payloads "%2e%2e/" "%2e%2e%5C" \
--output findings.log
````
## Output Details
The output file contains a line-by-line log of each test stage:
* **\[1/6] Negotiating TLS version negotiated
* **\[TRAVERSAL OK]** for successful generic traversal
* **\[403]** entries for protected directories found
* **\[TRAVERSAL OK] \<dir>** for per-directory traversal verification
* **\[200]** lines for actual file leaks discovered
* Final status line: `Done. Results saved to <output>`
Each log entry follows the format:
```
[Stage] Message or status
```
## License
Released under the MIT License. See [LICENSE](LICENSE) for details.
文件快照
[4.0K] /data/pocs/ab60b741a181afea5b3f61576889559a02b1682c
├── [3.2K] autoCurl.py
├── [1.0K] LICENSE
├── [6.7K] poc.py
└── [2.9K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。