CVE-2024-23334 PoC — aiohttp 路径遍历漏洞

Source

https://github.com/s4botai/CVE-2024-23334-PoC

Associated Vulnerability

Title:aiohttp 路径遍历漏洞 (CVE-2024-23334)
Description:aiohttp是一个开源的用于 asyncio 和 Python 的异步 HTTP 客户端/服务器框架。 aiohttp 3.9.2之前版本存在路径遍历漏洞，该漏洞源于当follow_symlinks设置为 True 时，不会进行检查读取的文件是否位于根目录内，这可能会导致目录遍历漏洞。

Description

A proof of concept of the LFI vulnerability on aiohttp 3.9.1

Readme

# CVE-2024-23334-PoC
A proof of concept of the LFI vulnerability on aiohttp 3.9.1. The option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system.

# Usage

```bash
bash lfi.sh -u target_url -f File_to_Read
```

![imagen](https://github.com/user-attachments/assets/5b1e9449-d720-4982-81af-571aca45dbd2)

# Example

![imagen](https://github.com/user-attachments/assets/8730b3ce-cf55-4be0-9a71-34ff3321f4d4)

File Snapshot


 [4.0K]  /data/pocs/a957940838669395191202875bb337799271799d
├── [1.3K]  lfi.sh
└── [ 704]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!