Exploit for Path Traversal in Aiohttp CVE-2024-23334

## https://sploitus.com/exploit?id=D05A7DF8-7BA3-54DC-8A99-9DE41DC6DC60
# CVE-2024-23334

Proof-of-Concept for LFI/Path Traversal vulnerability in Aiohttp =< 3.9.1 

> [!IMPORTANT]
> This script is for meant for educational purposes only.
> 
> Any illegal usage is strictly prohibited.
>

## How to run?

```
$ git clone https://github.com/wizarddos/CVE-2024-23334
$ cd CVE-2024-23334
$ python3 exploit.py -u [url] -f [file] -d [static directory]
```

> [!Note]
> Remeber to match slashes in url and static dir - if you type `http://127.0.0.1/` then pass directory without slash (like `static`) and vice versa (url without slash and directory with it)

## Why does it work?

Vulnerability itself lies in a way how aiohttp handles requests for static resources

If we write code like this
```py
app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True)
])
```

`follow_symlinks=True` makes it vulnerable to LFI.
To use static resources, you need to specify it's root directory
`follow_symlinks` option tells `aiohttp` to follow symbolic links outside of root directory, yet doesn't check whether link itself lies in root dir.

So even if said "symlink" isn't even a link, `aiohttp` does that file read and returns it's value

Source
[https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f](https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f)