Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-38475 PoC — Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.

Source
https://github.com/abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC
Associated Vulnerability
Title:Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. (CVE-2024-38475)
Description:Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
Readme
# CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC

Author: **abrewer251**

A proof-of-concept tool for testing CVE-2024-38475 ("SonicBoom") Apache URL traversal vulnerability. This script automates TLS negotiation, directory scanning, traversal verification, and payload fuzzing to identify unauthorized file access.

## Description

This repository contains a Python script (`poc.py`) that:

1. Negotiates the highest supported TLS/SSL protocol with the target.
2. Verifies generic directory traversal behavior.
3. Scans a directory wordlist for 403-protected directories.
4. Confirms traversal vulnerability per-directory.
5. Fuzzes file paths using custom payloads to detect real leaks.
6. Logs results to a specified output file.

This PoC helps security researchers and pen-testers rapidly validate the SonicBoom URL traversal flaw in Apache servers.

## Prerequisites

* **Python**: 3.6 or higher
* **Dependencies**:

  * `requests`

Install dependencies via pip:

```
pip install -r requirements.txt
```

> **Note**: `requirements.txt` should contain:
>
> ```
> requests
> ```

## Installation

1. Clone the repository:
```
git clone https://github.com/abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC.git
cd CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC
```
2. Make the script executable (optional):
```
chmod +x poc.py
```

## Run autoCurl.py to find out if PUT is a method allowed by the endpoint before continuing

## Usage of poc.py

```
python3 poc.py [OPTIONS]
```

### Required Argument

* `--schema`   Protocol to use (`http` or `https`)
* `--host`       Target host or IP
* `--port`       Target port
* `--directory-wordlist`  Path to directory wordlist file
* `--file-wordlist`    Path to file wordlist file
* `--output`       Path to write results to

### Optional Flags

| Flag                      | Description                                      | Default      |
| ------------------------- | ------------------------------------------------ | ------------ |
| `-p`, `--payloads` <list> | URL-encoded payloads to append (space-separated) | `%3f %3Fany` |
| `-h`, `--help`            | Show help message                                | —            |

## Examples

````
python3 poc.py \
  --schema https \
  --host 192.0.2.10 \
  --port 8443 \
  --directory-wordlist dirs.txt \
  --file-wordlist files.txt \
  --payloads "%2e%2e/" "%2e%2e%5C" \
  --output findings.log
````

## Output Details

The output file contains a line-by-line log of each test stage:

* **\[1/6] Negotiating TLS version negotiated
* **\[TRAVERSAL OK]** for successful generic traversal
* **\[403]** entries for protected directories found
* **\[TRAVERSAL OK] \<dir>** for per-directory traversal verification
* **\[200]** lines for actual file leaks discovered
* Final status line: `Done. Results saved to <output>`

Each log entry follows the format:

```
[Stage] Message or status
```

## License

Released under the MIT License. See [LICENSE](LICENSE) for details.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →