# Apache server-status is an Apache monitoring instance# Available by default at http://example.com/server-status.# In normal cases, the server-status instance is not accessible by non-local IPs. # However, due to misconfiguration, it can be publicly accessible. # This leads anyone to view the great amount of data by server-status.# Data exposed :# - All URL requested by all hosts/vhosts, including obscure files/directories and session tokens# - All requested client's IPs # Monitoring and exploiting Server Status
https://github.com/mazen160/server-status_PWN
python server-status_PWN.py --url 'http://example.com/server-status'