Apache httpd
aka httpd, apache2
The classic web server. Config files leak vhosts and basic-auth, CGI scripts enable Shellshock, access logs are an LFI poisoning target, and recent path-traversal CVEs reach RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | HTTP |
443 | tcp | HTTPS |
Fingerprint
- Server: Apache/<version> header
- Default test page or a custom vhost
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/apache2/ | /etc/httpd/ | config, vhosts (ports.conf, sites-enabled) | |
.htpasswd | basic-auth credentials | sensitive |
/var/log/apache2/access.log | log-poisoning target for LFI to RCE | |
/var/www/html/ | web root |
Service users
www-dataapache
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2021-41773 | Path traversal and RCE (2.4.49/2.4.50) |
| CVE-2014-6271 | Shellshock via CGI environment variables |
Exploitation primitives
- Read sites-enabled / .htpasswd for vhosts and basic-auth creds
- Shellshock: a malicious User-Agent to a CGI script runs commands
- Log poisoning: inject PHP via User-Agent into access.log, then include it through an LFI
Overview
Apache httpd is the default web server on countless boxes. Its own bugs (Shellshock, the 2.4.49 traversal) plus log poisoning via LFI make it a frequent foothold.
Enumeration
Check the Server header:
curl -sI http://<TARGET>/Path-traversal probe (2.4.49 / 2.4.50):
curl --path-as-is "http://<TARGET>/cgi-bin/.%2e/%2e%2e/%2e%2e/etc/passwd"Hardening
Patch promptly, disable unneeded CGI, protect config/log files, and avoid mod_cgi exposure.
Seen on these machines 4
