POC详情: dc79925805f978f8f91bb8d6cd5344cc46dfc627

来源
关联漏洞
标题: aiohttp 路径遍历漏洞 (CVE-2024-23334)
描述:aiohttp是一个开源的用于 asyncio 和 Python 的异步 HTTP 客户端/服务器框架。 aiohttp 3.9.2之前版本存在路径遍历漏洞,该漏洞源于当follow_symlinks设置为 True 时,不会进行检查读取的文件是否位于根目录内,这可能会导致目录遍历漏洞。
描述
Bash script to automate Local File Inclusion (LFI) attacks on aiohttp server version 3.9.1.
介绍
# LFI-aiohttp-CVE-2024-23334-PoC

A Bash script to automate Local File Inclusion (LFI) attacks on vulnerable aiohttp servers, specifically targeting CVE-2024-23334. This exploit allows for unauthorized access to arbitrary files on systems running affected versions of aiohttp with improperly configured static routes.

## CVE-2024-23334 Vulnerability

The CVE-2024-23334 vulnerability affects the aiohttp asynchronous HTTP client/server framework for Python and asyncio. It arises when aiohttp is used as a web server with static routes, which can create directory traversal vulnerabilities if misconfigured. This allows an attacker to access arbitrary files on the system without authorization.

**Mitigations** for this vulnerability include:
- Upgrading to aiohttp version **3.9.2** or later, where the issue is resolved.
- Disabling the `follow_symlinks` option in the server configuration.
- Using a reverse proxy to prevent direct access to sensitive files.

## Features

- Automates directory traversal attacks up to 15 levels to reach targeted files.
- Provides feedback on server availability and verifies successful file access.
- Configurable payload paths for adapting the script to specific testing environments.

## Requirements

- `curl`: Ensure `curl` is installed on your system, as it is used for making HTTP requests.

## Usage

To execute the script, run the following command:

`./lfi_aiohttp.sh -f /path/to/file/to/dump`

![Captura de pantalla 2024-11-14 215430](https://github.com/user-attachments/assets/3a1bc8af-b355-4db1-a502-c453991baa57)

### Configuration Note

> **Important**: The `main_url` and `payload` variables in the script may need to be adjusted depending on the target environment.

- **`main_url`**: This variable should be set to the URL of the target aiohttp server (e.g., `http://localhost:8083`). Modify it according to the actual server address you're testing against.
- **`payload`**: This variable represents the static file route on the server (e.g., `/assets/`). Ensure this path matches the configuration of the target server's static file directory.

Before running the script, review these variables to ensure they are correctly configured for your testing scenario. Incorrect settings may result in failed attempts to access files or unintended behavior.

### Arguments

- **-f**: Specifies the file to dump from the server.
- **-h**: Displays the help panel with usage instructions.

## Disclaimer

This script is intended for educational purposes and authorized penetration testing only. Unauthorized use of this script is prohibited and may be illegal.
文件快照

[4.0K] /data/pocs/dc79925805f978f8f91bb8d6cd5344cc46dfc627 ├── [2.2K] lfi_aiohttp.sh └── [2.5K] README.md 0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。