Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jellyfin-cve-2021-21402 #1206

Closed
wants to merge 8 commits into from
Closed

jellyfin-cve-2021-21402 #1206

wants to merge 8 commits into from

Conversation

Print1n
Copy link
Contributor

@Print1n Print1n commented Apr 27, 2021
edited
Loading

本 poc 是检测什么漏洞的

Jellyfin 任意文件读取漏洞(CVE-2021-21402)

测试环境

fofa title="Jellyfin" || body="http://jellyfin.media"

备注

之前有一个师傅提交了该POC,但是他的检测版本限于Windows系统,无法检测Linux系统
图片

@smile-jpg smile-jpg added the 等待作者修改 poc 有问题,等修改后继续 review label Apr 28, 2021
@Print1n Print1n closed this Apr 28, 2021
@Print1n Print1n reopened this Apr 28, 2021
@Print1n Print1n closed this Apr 28, 2021
@Print1n Print1n changed the title create poc-yaml-jellfin-cve-2021-21402 jellfin-cve-2021-21402 Apr 28, 2021
@Print1n Print1n reopened this Apr 28, 2021
@Print1n Print1n requested a review from smile-jpg April 29, 2021 08:13
@smile-jpg
Copy link
Collaborator

PoC 格式存在问题,有多余的缩进,建议参考其他 PoC 格式

@Print1n Print1n changed the title jellfin-cve-2021-21402 jellyfin-cve-2021-21402 Apr 29, 2021
smile-jpg
smile-jpg reviewed Apr 30, 2021
View reviewed changes
pocs/jellyfin-cve-2021-21402.yml
response.status==200 && response.body.bcontains(b"extensions") && response.body.bcontains(b"files")
Linux:
- method: GET
path: /Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/
Copy link
Collaborator

@smile-jpg smile-jpg Apr 30, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

windows 上有没有 jellyfin.db 这个文件,如果有,是不是可以考虑合并为一个请求

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Windows确实存在jellyfin.db这个文件,但是部分Windows系统jellyfin.db文件过大,导致读取jellyfin.db文件失败。此时配合读取win.ini文件才能验证漏洞成功。例如:http://5.160.4.147:1554/,该url读取jellyfin.db失败,但是读取win.ini成功

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

如果单纯考虑jellyfin.db文件,可能造成部分Windows系统漏洞验证不成功

Copy link
Collaborator

@smile-jpg smile-jpg May 7, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

那建议不读 jellyfin.db,换一个Linux和Windows都能读的文件,合并为一个请求,这样在批量扫描的时候可以少发很多请求,加快扫描速度。

@Print1n Print1n requested a review from smile-jpg May 6, 2021 02:28
@Print1n Print1n closed this May 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smile-jpg smile-jpg Awaiting requested review from smile-jpg

Assignees
No one assigned
Labels
等待作者修改 poc 有问题,等修改后继续 review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Print1n @smile-jpg