来源

关联漏洞

描述

Bash script to automate Local File Inclusion (LFI) attacks on aiohttp server version 3.9.1.

介绍

# LFI-aiohttp-CVE-2024-23334-PoC

A Bash script to automate Local File Inclusion (LFI) attacks on vulnerable aiohttp servers, specifically targeting CVE-2024-23334. This exploit allows for unauthorized access to arbitrary files on systems running affected versions of aiohttp with improperly configured static routes.

## CVE-2024-23334 Vulnerability

The CVE-2024-23334 vulnerability affects the aiohttp asynchronous HTTP client/server framework for Python and asyncio. It arises when aiohttp is used as a web server with static routes, which can create directory traversal vulnerabilities if misconfigured. This allows an attacker to access arbitrary files on the system without authorization.

**Mitigations** for this vulnerability include:
- Upgrading to aiohttp version **3.9.2** or later, where the issue is resolved.
- Disabling the `follow_symlinks` option in the server configuration.
- Using a reverse proxy to prevent direct access to sensitive files.

## Features

- Automates directory traversal attacks up to 15 levels to reach targeted files.
- Provides feedback on server availability and verifies successful file access.
- Configurable payload paths for adapting the script to specific testing environments.

## Requirements

- `curl`: Ensure `curl` is installed on your system, as it is used for making HTTP requests.

## Usage

To execute the script, run the following command:

`./lfi_aiohttp.sh -f /path/to/file/to/dump`

![Captura de pantalla 2024-11-14 215430](https://github.com/user-attachments/assets/3a1bc8af-b355-4db1-a502-c453991baa57)

### Configuration Note

> **Important**: The `main_url` and `payload` variables in the script may need to be adjusted depending on the target environment.

- **`main_url`**: This variable should be set to the URL of the target aiohttp server (e.g., `http://localhost:8083`). Modify it according to the actual server address you're testing against.
- **`payload`**: This variable represents the static file route on the server (e.g., `/assets/`). Ensure this path matches the configuration of the target server's static file directory.

Before running the script, review these variables to ensure they are correctly configured for your testing scenario. Incorrect settings may result in failed attempts to access files or unintended behavior.

### Arguments

- **-f**: Specifies the file to dump from the server.
- **-h**: Displays the help panel with usage instructions.

## Disclaimer

This script is intended for educational purposes and authorized penetration testing only. Unauthorized use of this script is prohibited and may be illegal.

文件快照

 [4.0K]  /data/pocs/dc79925805f978f8f91bb8d6cd5344cc46dfc627
├── [2.2K]  lfi_aiohttp.sh
└── [2.5K]  README.md

0 directories, 2 files

备注