POC详情: 97afaf49c487b4f3af77d0289e0bbd82af65a901

来源
关联漏洞
标题: aiohttp 路径遍历漏洞 (CVE-2024-23334)
描述:aiohttp是一个开源的用于 asyncio 和 Python 的异步 HTTP 客户端/服务器框架。 aiohttp 3.9.2之前版本存在路径遍历漏洞,该漏洞源于当follow_symlinks设置为 True 时,不会进行检查读取的文件是否位于根目录内,这可能会导致目录遍历漏洞。
描述
Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1
介绍
# CVE-2024-23334

Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1 

> [!IMPORTANT]
> This script is for meant for educational purposes only.
> 
> Any illegal usage is strictly prohibited.
>

## How to run?

```
$ git clone https://github.com/wizarddos/CVE-2024-23334
$ cd CVE-2024-23334
$ python3 exploit.py -u [url] -f [file] -d [static directory]
```

> [!Note]
> Remeber to match slashes in url and static dir - if you type `http://127.0.0.1/` then pass directory without slash (like `static`) and vice versa (url without slash and directory with it)

## Why does it work?

Vulnerability itself lies in a way how aiohttp handles requests for static resources

If we write code like this
```py
app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True)
])
```

`follow_symlinks=True` makes it vulnerable to LFI.
To use static resources, you need to specify it's root directory
`follow_symlinks` option tells `aiohttp` to follow symbolic links outside of root directory, yet doesn't check whether link itself lies in root dir.

So even if said "symlink" isn't even a link, `aiohttp` does that file read and returns it's value

Source
[https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f](https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f)
文件快照

[4.0K] /data/pocs/97afaf49c487b4f3af77d0289e0bbd82af65a901 ├── [1.5K] exploit.py └── [1.3K] README.md 0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。