关联漏洞
标题:
aiohttp 路径遍历漏洞
(CVE-2024-23334)
描述:aiohttp是一个开源的用于 asyncio 和 Python 的异步 HTTP 客户端/服务器框架。 aiohttp 3.9.2之前版本存在路径遍历漏洞,该漏洞源于当follow_symlinks设置为 True 时,不会进行检查读取的文件是否位于根目录内,这可能会导致目录遍历漏洞。
描述
Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1
介绍
# CVE-2024-23334
Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1
> [!IMPORTANT]
> This script is for meant for educational purposes only.
>
> Any illegal usage is strictly prohibited.
>
## How to run?
```
$ git clone https://github.com/wizarddos/CVE-2024-23334
$ cd CVE-2024-23334
$ python3 exploit.py -u [url] -f [file] -d [static directory]
```
> [!Note]
> Remeber to match slashes in url and static dir - if you type `http://127.0.0.1/` then pass directory without slash (like `static`) and vice versa (url without slash and directory with it)
## Why does it work?
Vulnerability itself lies in a way how aiohttp handles requests for static resources
If we write code like this
```py
app.router.add_routes([
web.static("/static", "static/", follow_symlinks=True)
])
```
`follow_symlinks=True` makes it vulnerable to LFI.
To use static resources, you need to specify it's root directory
`follow_symlinks` option tells `aiohttp` to follow symbolic links outside of root directory, yet doesn't check whether link itself lies in root dir.
So even if said "symlink" isn't even a link, `aiohttp` does that file read and returns it's value
Source
[https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f](https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f)
文件快照
[4.0K] /data/pocs/97afaf49c487b4f3af77d0289e0bbd82af65a901
├── [1.5K] exploit.py
└── [1.3K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。