Aria2 is a lightweight, multi-protocol, multi-source command-line download tool (supporting HTTP/HTTPS, FTP, BitTorrent, Metalink) with built-in XML-RPC and JSON-RPC interfaces. With proper permissions, we can use the RPC interface to operate Aria2 to download files, allowing files to be downloaded to any directory, which creates an arbitrary file write vulnerability.
After setting up the environment using Vulhub, accessing port 6800 and receiving a 404 page indicates that the service has started.
Since RPC communication requires using JSON or XML, which is not very convenient, we can use a third-party UI to communicate with the target, such as http://binux.github.io/yaaw/demo/
Open Yaaw, click the configuration button, and fill in the domain name where Aria2 is running.
http://your-ip:6800/jsonrpc
Then click âAddâ to create a new download task. In the âDirâ field, specify the directory to download to, and in the âFile Nameâ field, specify the file name. For example, we can write a pre-prepared test file.
Then add the task.
At this point, we enter the container to check the /tmp directory.
File successfully written!