/CVE-2024-23334

Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1

Primary LanguagePython

CVE-2024-23334

Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1

Important

This script is for meant for educational purposes only.

Any illegal usage is strictly prohibited.

How to run?

$ git clone https://github.com/wizarddos/CVE-2024-23334
$ cd CVE-2024-23334
$ python3 exploit.py -u [url] -f [file] -d [static directory]

Note

Remeber to match slashes in url and static dir - if you type http://127.0.0.1/ then pass directory without slash (like static) and vice versa (url without slash and directory with it)

Why does it work?

Vulnerability itself lies in a way how aiohttp handles requests for static resources

If we write code like this

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True)
])

follow_symlinks=True makes it vulnerable to LFI. To use static resources, you need to specify it's root directory follow_symlinks option tells aiohttp to follow symbolic links outside of root directory, yet doesn't check whether link itself lies in root dir.

So even if said "symlink" isn't even a link, aiohttp does that file read and returns it's value

Source https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f